registry  /  @webpresso/agent-kit  /  3.1.5

@webpresso/agent-kit@3.1.5

TypeScript-first agent harness for guarded develop/deploy workflows: wp CLI gates, MCP tools, hooks, memory, worktrees, secrets, audits, and evidence checks.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious install-time or import-time attack surface was found. The remaining risk is explicit first-party agent setup that mutates AI-agent hook/plugin surfaces.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User runs `wp setup` or related hook setup/repair commands.
Impact
Can install Webpresso-managed hooks into Claude/Codex project and user configuration; no unconsented npm install-time mutation observed.
Mechanism
first-party agent hook and skill scaffolding plus optional telemetry
Rationale
Source inspection supports a warn-level agent extension lifecycle risk, not malicious behavior: the sensitive writes are explicit setup actions and package-aligned, with no install-time hijack, credential theft, remote payload execution, or stealth persistence found. Scanner critical hits are largely launcher/user-command/validator code rather than concrete attack chains.
Evidence
package.jsonbin/_run.jsbin/wpdist/esm/index.jsdist/esm/cli/commands/init/index.jsdist/esm/cli/commands/init/scaffolders/agent-hooks/index.jsdist/esm/telemetry/setup-tthw.jsdist/esm/hooks/pretool-guard/validators/dangerous-commands.jsdist/esm/cli/commands/err.jsdist/esm/config/oxlint/tier-boundaries.js.claude/settings.json.codex/hooks.json.webpresso/hooks-manifest.json.agent/skills.claude/rules.agents/skills~/.claude/settings.json
Network endpoints1
telemetry.webpresso.dev/v1/setup-tthw

Decision evidence

public snapshot
AI called this Suspicious at 87.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • Explicit `wp setup` scaffolds agent hooks into `.claude/settings.json` and `.codex/hooks.json` in `dist/esm/cli/commands/init/scaffolders/agent-hooks/index.js`.
  • Setup also patches user Claude settings via `defaultClaudeUserSettingsPath()` and can trust Codex hooks when requested.
  • Opt-in telemetry posts setup timing to `https://telemetry.webpresso.dev/v1/setup-tthw` when `WP_TELEMETRY=1` or `WP_INTERNAL=1`.
  • `prepare` lifecycle is only `husky`; no preinstall/install/postinstall mutation found in `package.json`.
  • `bin/_run.js` delegates to packaged `wp` runtime/built/source entrypoints via `spawn`/`spawnSync`.
  • Dangerous command/reverse-shell patterns are deny-list regex validators, not executed payloads.
Evidence against
  • Public import `dist/esm/index.js` is a small API export with no filesystem, shell, or network side effects.
  • Agent hook/config writes are under explicit `wp setup`, not package install or import.
  • Shell execution in `dist/esm/cli/commands/err.js` is user-invoked `wp err <cmd>` passthrough.
  • Dynamic import in `dist/esm/config/oxlint/tier-boundaries.js` loads local `package-boundaries.js` for lint rules with fallback constants.
  • No credential harvesting or exfiltration logic found in inspected hot files.
  • Telemetry is disabled by default except internal/explicit env flags and sends JSON setup payload only.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 665 file(s), 3.25 MB of source, external domains: api.webpresso.io, bun.sh, developers.openai.com, docs.npmjs.com, github.com, json.schemastore.org, raw.githubusercontent.com, registry.npmjs.org, telemetry.webpresso.dev

Source & flagged code

6 flagged · loading source
bin/_run.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @webpresso/agent-kit@2.5.2 matchedIdentity = npm:QHdlYnByZXNzby9hZ2VudC1raXQ:2.5.2 similarity = 0.517 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bin/_run.jsView on unpkg
2L3: import { spawn, spawnSync } from "node:child_process"; L4: import { existsSync, readFileSync, readdirSync, realpathSync, statSync } from "node:fs";
High
Child Process

Package source references child process execution.

bin/_run.jsView on unpkg · L2
dist/esm/cli/commands/err.jsView file
8"Examples:", L9: " wp err sh -c 'echo a; echo \"ERROR: x\"; echo b'", L10: " wp err pnpm test",
High
Shell

Package source references shell execution.

dist/esm/cli/commands/err.jsView on unpkg · L8
dist/esm/config/oxlint/tier-boundaries.jsView file
14try { L15: const packageBoundaryModule = await import(packageBoundaryModuleUrl.href); L16: return packageBoundaryModule.PACKAGE_TIERS ?? FALLBACK_PACKAGE_TIERS;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/esm/config/oxlint/tier-boundaries.jsView on unpkg · L14
dist/esm/audit/weakness-mining/index.jsView file
6import { readPretoolEvidence, } from "./read-pretool-log.js"; L7: export async function auditWeaknessMining(rootDirectory = process.cwd(), options = {}) { L8: const report = mineWeaknesses(rootDirectory, options);
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/esm/audit/weakness-mining/index.jsView on unpkg · L6
dist/esm/hooks/pretool-guard/validators/dangerous-commands.jsView file
23{ L24: pattern: /\bbase64\b[^|]*\|\s*(?:sh|bash|zsh)\b/, L25: description: "base64 decoded into a shell executes hidden payloads", ... L28: pattern: /\bnc\b[^\n]*\s-e\s+\S+/, L29: description: "netcat -e spawns a remote shell", L30: }, ... L62: export function validateDangerousCommands(input) { L63: if (process.env.DANGEROUS_COMMANDS_SKIP === "1") L64: return createSkipResult(VALIDATOR_NAME);
Critical
Reverse Shell

Source matches reverse-shell style process and socket wiring.

dist/esm/hooks/pretool-guard/validators/dangerous-commands.jsView on unpkg · L23

Findings

2 Critical2 High5 Medium6 Low
CriticalReverse Shelldist/esm/hooks/pretool-guard/validators/dangerous-commands.js
CriticalPrevious Version Dangerous Deltabin/_run.js
HighChild Processbin/_run.js
HighShelldist/esm/cli/commands/err.js
MediumDynamic Requiredist/esm/config/oxlint/tier-boundaries.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/esm/audit/weakness-mining/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings