registry  /  @wkoutre/teamwork-os  /  1.0.58

@wkoutre/teamwork-os@1.0.58

AI agent orchestration platform.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
Running `teamos` commands, especially `teamos init` or onboarding
Impact
Can create persistent local automation and invoke AI-agent workflows after user confirmation
Mechanism
Opaque bytecode orchestrates Claude agents, local gateway services, and scheduled jobs
Rationale
No concrete malicious chain or lifecycle abuse was found, but opaque bytecode combined with local persistence and AI-agent scheduling is a meaningful dangerous capability that cannot be fully audited statically.
Evidence
package.jsoncli.jsgateway.jsREADME.mdonboarding-plugin/skills/onboarding/SKILL.mdcli.x64.jscgateway.x64.jsc~/.teamwork/~/.teamwork/.env
Network endpoints5
127.0.0.1:localhost:api.anthropic.comapi.figma.com/v1/meapi.notion.com/v1/users/me

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `cli.js` and `gateway.js` load opaque architecture-specific `.jsc` bytecode via bytenode.
  • Bytecode strings reference `node:child_process`, `execFile`, `spawn`, `writeFile`, `unlink`, and `rmSync`.
  • `onboarding-plugin/skills/onboarding/SKILL.md` directs confirmed agent/job creation; jobs auto-install into system crontab.
  • README documents optional launchd/systemd persistence and scheduled Claude Code agent execution.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
  • Readable entrypoints only perform version/architecture checks then load local packaged bytecode.
  • Documented setup is initiated through `teamos init` and describes confirmation before creating agents or scheduled jobs.
  • Observed endpoints are local service and named integration/API hosts; no concrete credential exfiltration chain was established.
Behavioral surface
Source
ChildProcessDynamicRequireFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 42 file(s), 2.36 MB of source, external domains: fb.me, github.com, linear.app, pro.reactflow.dev, radix-ui.com, reactflow.dev, reactjs.org, www.w3.org

Source & flagged code

2 flagged · loading source
gateway.jsView file
1'use strict'; L2: var path = require('node:path'); L3: var fs = require('node:fs');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

gateway.jsView on unpkg · L1
gateway.x64.jscView file
path = gateway.x64.jsc kind = node_bytecode sizeBytes = 4171392 magicHex = [redacted]
High
Ships Node Bytecode

Package ships compiled Node/V8 bytecode artifacts.

gateway.x64.jscView on unpkg

Findings

1 High4 Medium4 Low
HighShips Node Bytecodegateway.x64.jsc
MediumDynamic Requiregateway.js
MediumNetwork
MediumProtestware
MediumStructural Risk Force Deep Review
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings