registry  /  @wkoutre/teamwork-os  /  1.0.55

@wkoutre/teamwork-os@1.0.55

AI agent orchestration platform.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No install-time attack is established. Running `teamos` or the gateway executes opaque V8 bytecode that source inspection cannot fully audit; its embedded strings indicate command execution, environment access, local credential-path references, and package-aligned integrations.

Static reason
No blocking static signals were detected.
Trigger
User runs `teamos`, imports the main entrypoint, or starts the gateway.
Impact
Potential command, local-file, environment, and network access remains unresolved.
Mechanism
Opaque Bytenode bytecode execution with local orchestration integrations.
Rationale
No concrete malicious behavior or unconsented install-time control-surface mutation was established, but the actual executable logic is opaque bytecode containing high-risk primitives and external endpoints.
Evidence
package.jsoncli.jsgateway.jsREADME.mdcli.x64.jscgateway.x64.jsconboarding-plugin/skills/onboarding/SKILL.mdcli.arm64.jscgateway.arm64.jsc
Network endpoints5
api.anthropic.comslack.com/api/auth.testapi.figma.com/v1/meapi.notion.com/v1/users/meregistry.npmjs.org

Decision evidence

public snapshot
AI called this Suspicious at 84.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `cli.js` and `gateway.js` execute architecture-specific opaque `.jsc` payloads through `bytenode`.
  • The four executable bytecode files total about 16 MB and contain `child_process`, `execSync`/`spawnSync`, `process.env`, `.npmrc`, and `/.ssh` strings.
  • Bytecode contains external API literals for Anthropic, Slack, Figma, Notion, GitHub, and npm registry endpoints.
Evidence against
  • `package.json` has no `preinstall`, `install`, `postinstall`, or other lifecycle script.
  • The readable loaders only perform Node/CPU checks and load local bytecode.
  • `README.md` describes user-invoked local orchestration, optional integrations, and optional service setup via `teamos init`.
  • No readable source proves credential harvesting, exfiltration, destructive behavior, or foreign AI-agent configuration mutation.
Behavioral surface
Source
ChildProcessDynamicRequireFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 42 file(s), 2.36 MB of source, external domains: fb.me, github.com, linear.app, pro.reactflow.dev, radix-ui.com, reactflow.dev, reactjs.org, www.w3.org

Source & flagged code

2 flagged · loading source
gateway.jsView file
1'use strict'; L2: var path = require('node:path'); L3: var fs = require('node:fs');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

gateway.jsView on unpkg · L1
gateway.x64.jscView file
path = gateway.x64.jsc kind = node_bytecode sizeBytes = 4171296 magicHex = [redacted]
High
Ships Node Bytecode

Package ships compiled Node/V8 bytecode artifacts.

gateway.x64.jscView on unpkg

Findings

1 High4 Medium4 Low
HighShips Node Bytecodegateway.x64.jsc
MediumDynamic Requiregateway.js
MediumNetwork
MediumProtestware
MediumStructural Risk Force Deep Review
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings