registry  /  @weirdmm/olliecli  /  0.17.1

@weirdmm/olliecli@0.17.1

OllieChat in your terminal — a warm, streaming AI CLI with workspace, web search and command execution.

AI Security Review

scanned 1h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a user-invoked AI CLI with web, file, and shell capabilities that are disclosed in README and gated for side effects by approval unless --yolo is chosen.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs ollie/olliecli, enables --yolo, approves a tool call, uses /update, or starts olliecli mcp.
Impact
Could modify workspace files or run commands only through user-invoked CLI flows; no install-time compromise found.
Mechanism
AI CLI with approved workspace tools and package-aligned network calls
Rationale
Static inspection shows a disclosed AI terminal agent with potentially dangerous user-facing capabilities, but no unconsented install-time execution or hidden exfiltration/destructive behavior. The suspicious primitives are package-aligned and activated by explicit CLI/MCP use or user approval.
Evidence
package.jsonREADME.mddist/index.jsdist/chunk-35QJORM2.jsdist/mcp-AWCHRPUF.jsOLLIE.mdworkspace paths supplied to read_file/write_file/list_dir~/.olliechat/config.json~/.olliechat/models.json~/.olliechat/key.json~/.olliechat/update.json
Network endpoints5
olliechat-lac.vercel.appsh00t.host/v1api.duckduckgo.com/html.duckduckgo.com/html/registry.npmjs.org/@weirdmm/olliecli/latest

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/index.js exposes AI tools that can read/write workspace files and run shell commands
  • dist/index.js supports --yolo and /yolo to auto-approve write_file/run_command tools
  • dist/chunk-35QJORM2.js fetches model/key/update metadata and can spawn npm install -g on explicit update
Evidence against
  • package.json has no preinstall/install/postinstall hooks; only prepublishOnly build script
  • dist/index.js gates write_file and run_command behind interactive approval unless user enables yolo
  • Network calls are package-aligned AI/chat, DuckDuckGo web search, URL fetch, model sync, and npm update checks
  • dist/mcp-AWCHRPUF.js only serves MCP ask/list_models over stdio and calls the configured chat API
  • No credential harvesting, persistence, destructive install-time behavior, or foreign AI-agent config mutation found
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 68.4 KB of source, external domains: api.duckduckgo.com, html.duckduckgo.com, olliechat-lac.vercel.app, registry.npmjs.org, sh00t.host

Source & flagged code

1 flagged · loading source
dist/chunk-35QJORM2.jsView file
110import { mkdir, readFile, writeFile } from "fs/promises"; L111: var SITE_BASE = (process.env.OLLIE_SITE || "https://olliechat-lac.vercel.app").replace(/\/+$/, ""); L112: var UPSTREAM_BASE = "https://sh00t.host/v1"; ... L149: } L150: var CONFIG_DIR = join(homedir(), ".olliechat"); L151: var CONFIG_PATH = join(CONFIG_DIR, "config.json"); ... L154: const raw = await readFile(CONFIG_PATH, "utf8"); L155: return { ...DEFAULTS, ...JSON.parse(raw) }; L156: } catch { ... L169: import { mkdir as mkdir2, readFile as readFile2, writeFile as writeFile2 } from "fs/promises"; L170: import { spawn } from "child_process"; L171: var DIR = join2(homedir2(), ".olliechat");
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/chunk-35QJORM2.jsView on unpkg · L110

Findings

1 High3 Medium5 Low
HighSandbox Evasion Gated Capabilitydist/chunk-35QJORM2.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings