AI Security Review
scanned 1h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a user-invoked AI CLI with web, file, and shell capabilities that are disclosed in README and gated for side effects by approval unless --yolo is chosen.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs ollie/olliecli, enables --yolo, approves a tool call, uses /update, or starts olliecli mcp.
Impact
Could modify workspace files or run commands only through user-invoked CLI flows; no install-time compromise found.
Mechanism
AI CLI with approved workspace tools and package-aligned network calls
Rationale
Static inspection shows a disclosed AI terminal agent with potentially dangerous user-facing capabilities, but no unconsented install-time execution or hidden exfiltration/destructive behavior. The suspicious primitives are package-aligned and activated by explicit CLI/MCP use or user approval.
Evidence
package.jsonREADME.mddist/index.jsdist/chunk-35QJORM2.jsdist/mcp-AWCHRPUF.jsOLLIE.mdworkspace paths supplied to read_file/write_file/list_dir~/.olliechat/config.json~/.olliechat/models.json~/.olliechat/key.json~/.olliechat/update.json
Network endpoints5
olliechat-lac.vercel.appsh00t.host/v1api.duckduckgo.com/html.duckduckgo.com/html/registry.npmjs.org/@weirdmm/olliecli/latest
Decision evidence
public snapshotAI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
- dist/index.js exposes AI tools that can read/write workspace files and run shell commands
- dist/index.js supports --yolo and /yolo to auto-approve write_file/run_command tools
- dist/chunk-35QJORM2.js fetches model/key/update metadata and can spawn npm install -g on explicit update
Evidence against
- package.json has no preinstall/install/postinstall hooks; only prepublishOnly build script
- dist/index.js gates write_file and run_command behind interactive approval unless user enables yolo
- Network calls are package-aligned AI/chat, DuckDuckGo web search, URL fetch, model sync, and npm update checks
- dist/mcp-AWCHRPUF.js only serves MCP ask/list_models over stdio and calls the configured chat API
- No credential harvesting, persistence, destructive install-time behavior, or foreign AI-agent config mutation found
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcedist/chunk-35QJORM2.jsView file
110import { mkdir, readFile, writeFile } from "fs/promises";
L111: var SITE_BASE = (process.env.OLLIE_SITE || "https://olliechat-lac.vercel.app").replace(/\/+$/, "");
L112: var UPSTREAM_BASE = "https://sh00t.host/v1";
...
L149: }
L150: var CONFIG_DIR = join(homedir(), ".olliechat");
L151: var CONFIG_PATH = join(CONFIG_DIR, "config.json");
...
L154: const raw = await readFile(CONFIG_PATH, "utf8");
L155: return { ...DEFAULTS, ...JSON.parse(raw) };
L156: } catch {
...
L169: import { mkdir as mkdir2, readFile as readFile2, writeFile as writeFile2 } from "fs/promises";
L170: import { spawn } from "child_process";
L171: var DIR = join2(homedir2(), ".olliechat");
High
Sandbox Evasion Gated Capability
Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
dist/chunk-35QJORM2.jsView on unpkg · L110Findings
1 High3 Medium5 Low
HighSandbox Evasion Gated Capabilitydist/chunk-35QJORM2.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings