registry  /  @voybio/ace-swarm  /  2.4.6

@voybio/ace-swarm@2.4.6

ACE Framework MCP server and CLI — single-file ACEPACK state, local-model serving, agent orchestration, and host compliance enforcement.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
User runs `ace turnkey`, `ace preconfig`, or starts an unattended session after configuring `ACE_WORKFLOW.md`.
Impact
Can alter the opted-in workspace's AI-agent control surface and execute configured commands; this is a powerful agent framework capability rather than confirmed covert compromise.
Mechanism
Explicit workspace agent-hook setup, configured shell execution, and provider API calls.
Rationale
The source supports a warning for explicit AI-agent configuration and shell-execution capability, not a block for malware. All sensitive actions require a user CLI action or a separately configured workspace profile.
Evidence
package.jsondist/cli.jsdist/store/materializers/host-file-materializer.jsdist/helpers/bootstrap.jsdist/runtime-command.jsdist/tui/openai-compatible.jsassets/scripts/ace-hook-dispatch.mjsassets/agent-state/ACE_WORKFLOW.md.agents/ACE/.claude/settings.json.agents/ACE/.github/hooks/ace-copilot.json.mcp-config/codex.hooks.toml
Network endpoints5
api.openai.com/v1models.github.com/v1api.anthropic.com/v1127.0.0.1:11434127.0.0.1:8080

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/store/materializers/host-file-materializer.js` writes workspace hook configs that invoke ACE dispatcher on agent lifecycle events.
  • `dist/runtime-command.js` executes configured commands via `sh -c`; unattended execution requires a workspace profile.
  • `dist/tui/openai-compatible.js` sends chat requests using configured provider URLs and environment API keys.
Evidence against
  • `package.json` has only `prepublishOnly`; no install-time lifecycle hook runs for consumers.
  • `dist/cli.js` runs bootstrap/configuration only for explicit CLI commands and guards import side effects.
  • Default `assets/agent-state/ACE_WORKFLOW.md` is interactive with `executor.command: null`.
  • `assets/scripts/ace-hook-dispatch.mjs` reads workspace state and emits hook responses; no network or subprocess execution found.
  • Provider endpoints are named AI services or local runtimes, with no hidden third-party exfiltration endpoint.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 141 file(s), 2.06 MB of source, external domains: 127.0.0.1, api.anthropic.com, api.openai.com, models.github.com

Source & flagged code

5 flagged · loading source
dist/tools-goal.jsView file
8*/ L9: import { spawn } from "node:child_process"; L10: import { fileURLToPath } from "node:url";
High
Child Process

Package source references child process execution.

dist/tools-goal.jsView on unpkg · L8
dist/tui/openai-compatible.jsView file
569} L570: const GITHUB_MODELS_BASE_URL = "https://models.github.com/v1"; L571: export const ANTHROPIC_OPENAI_COMPATIBLE_BASE_URL = "https://api.anthropic.com/v1"; ... L576: export function resolveGitHubToken() { L577: const envToken = process.env.GITHUB_TOKEN?.trim() || L578: process.env.GH_TOKEN?.trim() || ... L583: try { L584: const { execSync } = require("node:child_process"); L585: const token = execSync("gh auth token 2>/dev/null", {
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/tui/openai-compatible.jsView on unpkg · L569
583try { L584: const { execSync } = require("node:child_process"); L585: const token = execSync("gh auth token 2>/dev/null", {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/tui/openai-compatible.jsView on unpkg · L583
dist/helpers/bootstrap.jsView file
77'[ -s "$HOME/.zprofile" ] && . "$HOME/.zprofile"', L78: '[ -s "$HOME/.zshrc" ] && . "$HOME/.zshrc"', L79: ].join("; "); ... L115: function getMcpCommandSpec(workspaceRoot = resolveWorkspaceRoot()) { L116: if (process.platform !== "win32") { L117: const shell = process.env.SHELL || "/bin/zsh"; L118: return { ... L123: return { L124: command: "cmd.exe", L125: args: ["/d", "/s", "/c", buildWindowsMcpLaunchCommand(workspaceRoot)], ... L482: if (client === "codex") { L483: const codexHome = resolve(process.env.CODEX_HOME ?? resolve(homedir(), ".codex"));
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/helpers/bootstrap.jsView on unpkg · L77
scripts/hermes_bridge_worker.pyView file
path = scripts/hermes_bridge_worker.py kind = build_helper sizeBytes = 5767 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/hermes_bridge_worker.pyView on unpkg

Findings

3 High6 Medium5 Low
HighChild Processdist/tools-goal.js
HighShell
HighSame File Env Network Executiondist/tui/openai-compatible.js
MediumDynamic Requiredist/tui/openai-compatible.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/helpers/bootstrap.js
MediumShips Build Helperscripts/hermes_bridge_worker.py
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings