AI Security Review
scanned 3h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No concrete malicious attack surface was found. The package is an AI workflow CLI that can write first-party ADOS workflow assets under .agent only after explicit user commands.
Static reason
No blocking static signals were detected.
Trigger
User runs ados init, ados bootstrap --apply, ados auto-create, ados update, or ados doctor.
Impact
Can create or overwrite ADOS workflow files in the current repo when requested; update command can run npm install -g @webton/ados@version.
Mechanism
user-invoked first-party agent workflow setup and CLI diagnostics
Rationale
Source inspection shows a package-aligned ADOS CLI with user-invoked .agent workflow setup and npm registry update checks, but no unconsented lifecycle behavior or malicious chain. Because it mutates an agent control surface only through explicit first-party commands, warn rather than block.
Evidence
package.jsonbin/adosdist/index.jsdist/chunk-VSIA7DDD.jsdist/chunk-JQLKT6VX.jsdist/chunk-SKBWXB2B.jsdist/chunk-GU66S46A.jsdist/chunk-JMVYL342.jsdist/chunk-Z7NMULN7.jsassets/workflows/prime.md.agent/workflows/*.md.agent/loops/*.mddocs/branding/webton-ados-ascii-art.txt.agent/proposed-skills/*/SKILL.md.agent/proposed-workflows/*.md.agent/reports/proposed-skill-log.md
Network endpoints2
registry.npmjs.org/@webton%2Fados/latestregistry.npmjs.org/@webton%2Fados
Decision evidence
public snapshotAI called this Suspicious at 88.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- dist/chunk-VSIA7DDD.js copies bundled assets into .agent/workflows via user-invoked ados init.
- dist/chunk-JQLKT6VX.js can sync/overwrite .agent workflows with ados bootstrap --apply --force.
- dist/chunk-SKBWXB2B.js can draft .agent/proposed-skills or .agent/proposed-workflows from user input.
Evidence against
- package.json has no preinstall/install/postinstall hooks; only prepublishOnly build.
- bin/ados only imports dist/index.js; side effects are CLI-command driven.
- dist/chunk-GU66S46A.js network use is limited to npm registry update checks for @webton/ados.
- No credential harvesting, exfiltration endpoint, eval/vm/Function, native binary, or remote payload loader found.
- workflows install is dry-run-only and refuses write mode in dist/chunk-JMVYL342.js.
- doctor uses fixed git/gh diagnostic commands, not package-supplied shell strings.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
CopyleftLicense
Source & flagged code
1 flagged · loading sourcedist/chunk-JQLKT6VX.jsView file
50function resolveAdosHome(override) {
L51: return override ?? process.env.ADOS_HOME ?? path.join(os.homedir(), ".webton-ados");
L52: }
Low
Weak Crypto
Package source references weak cryptographic algorithms.
dist/chunk-JQLKT6VX.jsView on unpkg · L50Findings
2 Medium7 Low
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/chunk-JQLKT6VX.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License