registry  /  @yancyyu/agentcli  /  1.9.10

@yancyyu/agentcli@1.9.10

AgentCli: AI 工程协作平台,本地优先的用量采集与团队协作工具。

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Install-time code writes package workflows under the package-owned `~/.hermit/.claude/workflow` directory and migrates its own legacy runtime data. No source evidence shows install-time network access, credential exfiltration, remote payload execution, or mutation of broad foreign agent configuration.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
npm postinstall
Impact
Adds/refreshes package-managed AI workflow files and relocates legacy Hermit runtime files during installation.
Mechanism
first-party Hermit workflow seeding and runtime-directory migration
Rationale
Source inspection confirms a scoped, install-time first-party agent-workflow setup rather than concrete malicious behavior. Warn because lifecycle mutation remains security-relevant; do not block absent foreign broad-surface mutation or an exfiltration/payload chain.
Evidence
package.jsonbin/postinstall.mjsbin/lib/aikey.mjsbin/hermit.mjsREADME.mdsrc/main/services/system-manager/builtin-workflows/team-asset-dry-run-classifier.js~/.hermit/.claude/workflow~/.hermit/hermit-bridge~/.hermit/cc-connect

Decision evidence

public snapshot
AI called this Suspicious at 95.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `package.json` runs `bin/postinstall.mjs` on installation.
  • `bin/postinstall.mjs` creates `~/.hermit/.claude/workflow` and copies bundled workflow files there.
  • Postinstall refreshes marked workflow files and migrates/deletes legacy `~/.hermit/cc-connect` runtime paths.
  • `bin/lib/aikey.mjs` can modify `~/.claude` and `~/.codex`, but only through explicit CLI key-claim flow.
Evidence against
  • `bin/postinstall.mjs` performs no network requests or child-process execution.
  • Workflow seeding skips files without its marker, preserving user-managed files.
  • Bundled workflow JS is proposal/read-only oriented and forbids secret reads, execution, and external uploads.
  • AI-key configuration mutation is user-invoked; README documents targets, backup, and restore behavior.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
CopyleftLicense
scanned 1,123 file(s), 10.3 MB of source, external domains: 0.0.0.0, 127.0.0.1, api.anthropic.com, api.dicebear.com, api.example.com, api.github.com, cdn.jsdelivr.net, chevrotain.io, en.wikipedia.org, github.com, jquery.org, langium.org, monitor.test, raw.githubusercontent.com, react.dev, redis.example.com, redis.lazymind.vip, registry.npmjs.org, tldrlegal.com, voicetext.site, www.w3.org, yancyuu.github.io, yancyyu.github.io
Oversized source lightweight scan
dist-renderer/assets/index-8qKBJj8I.js6.24 MB file, sampled 256 KB
NetworkChildProcessHighEntropyStringsMinifiedUrlStringsreact.dev

Source & flagged code

16 flagged · loading source
package.jsonView file
scripts.postinstall = node ./bin/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./bin/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/kill-dev.jsView file
1#!/usr/bin/env node L2: import { spawnSync } from 'child_process'; L3:
High
Child Process

Package source references child process execution.

bin/kill-dev.jsView on unpkg · L1
8stdio: 'inherit', L9: shell: true, L10: });
High
Shell

Package source references shell execution.

bin/kill-dev.jsView on unpkg · L8
bin/lib/navigationCommand.mjsView file
132L133: const require = createRequire(import.meta.url); L134:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/lib/navigationCommand.mjsView on unpkg · L132
bin/lib/teams.mjsView file
70if (!raw) return ''; L71: if (raw === '~') return os.homedir(); L72: if (raw.startsWith('~/')) return path.join(os.homedir(), raw.slice(2));
Low
Weak Crypto

Package source references weak cryptographic algorithms.

bin/lib/teams.mjsView on unpkg · L70
bin/lib/aikey.mjsView file
116L117: const home = os.homedir(); L118: let rcFile; L119: if (isZsh) { L120: rcFile = path.join(home, '.zshrc'); L121: } else { ... L157: try { L158: raw = JSON.parse(readFileSync(mockPath, 'utf-8')); L159: } catch { ... L169: if (!ctx) return null; L170: const res = await fetch(`${ctx.baseUrl}/api/v1/hermit/ai-key`, { L171: headers: { Authorization: `Bearer ${ctx.token}`, Accept: 'application/json' },
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

bin/lib/aikey.mjsView on unpkg · L116
bin/lib/auth.mjsView file
367async function openExternalUrl(url) { L368: const mode = process.env.OPENHERMIT_AUTH_OPEN_BROWSER || process.env.OPENHERMIT_OAUTH_OPEN_BROWSER; L369: if (mode === '0') return { opened: false, skipped: true }; L370: if (mode === 'fetch') { L371: await fetch(url, { redirect: 'follow', signal: AbortSignal.timeout(30_000) }); L372: return { opened: true, mode: 'fetch' }; ... L377: // as a single argument, so query characters (& ? =) need no shell quoting. L378: // The previous powershell `Start-Process -FilePath $args[0]` form exited L379: // non-zero and the browser silently never opened on Windows.
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

bin/lib/auth.mjsView on unpkg · L367
bin/lib/update.mjsView file
3L4: import { execSync } from 'node:child_process'; L5: import path from 'node:path'; ... L18: try { L19: const res = await fetch(`https://api.github.com/repos/${BRAND.githubRepo}/releases/latest`, { L20: signal: AbortSignal.timeout(10000), ... L25: } L26: const data = await res.json(); L27: const latestVersion = data.tag_name?.replace(/^v/, ''); ... L75: const hint = L76: process.platform === 'win32' L77: ? `先关闭所有运行中的 agentcli 进程(或重启电脑)再重试:npm install -g ${BRAND.npmPackage}@latest --prefer-online`
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

bin/lib/update.mjsView on unpkg · L3
62// pulls the true latest from the authoritative source. L63: execSync(`npm install -g ${BRAND.npmPackage}@latest --registry=https://registry.npmjs.org/`, { stdio: 'inherit' }); L64: [redacted]();
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/lib/update.mjsView on unpkg · L62
bin/postinstall.mjsView file
1Install-time AI-agent control hijack evidence: L3: import { L4: copyFileSync, L5: cpSync, L6: existsSync, L7: mkdirSync, L8: readFileSync, ... L11: rmSync, L12: writeFileSync, L13: } from 'node:fs'; ... L46: const bundledWorkflowsDir = path.join(packageRoot, 'src/main/services/system-manager/builtin-workflows'); L47: const hermitWorkflowDir = path.join(hermitHome, '.claude', 'workflow'); L48: const builtinWorkflowMarker = '<!-- hermit-builtin-workflow:v2-loop -->'; Payload evidence from src/renderer/features/CLAUDE.md: L1: # Renderer Features - Legacy Note L2:
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

bin/postinstall.mjsView on unpkg · L1
dist-renderer/icon.rarView file
path = dist-renderer/icon.rar kind = high_entropy_blob sizeBytes = 85506 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist-renderer/icon.rarView on unpkg
path = dist-renderer/icon.rar kind = compressed_blob sizeBytes = 85506 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

dist-renderer/icon.rarView on unpkg
path = dist-renderer/icon.rar kind = nested_archive_needs_inspection sizeBytes = 85506 magicHex = [redacted]
Low
Nested Archive Needs Inspection

Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.

dist-renderer/icon.rarView on unpkg
dist-renderer/assets/index-8qKBJj8I.jsView file
path = dist-renderer/assets/index-8qKBJj8I.js kind = oversized_source_file sizeBytes = 6543243 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist-renderer/assets/index-8qKBJj8I.jsView on unpkg
bin/hermit.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = @yancyyu/agentcli@1.9.7 matchedIdentity = npm:QHlhbmN5eXUvYWdlbnRjbGk:1.9.7 similarity = 0.908 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bin/hermit.mjsView on unpkg

Findings

2 Critical8 High7 Medium8 Low
CriticalAi Agent Control Hijackbin/postinstall.mjs
CriticalPrevious Version Dangerous Deltabin/hermit.mjs
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processbin/kill-dev.js
HighShellbin/kill-dev.js
HighSame File Env Network Executionbin/lib/auth.mjs
HighSandbox Evasion Gated Capabilitybin/lib/update.mjs
HighRuntime Package Installbin/lib/update.mjs
HighShips High Entropy Blobdist-renderer/icon.rar
HighOversized Source Filedist-renderer/assets/index-8qKBJj8I.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirebin/lib/navigationCommand.mjs
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencebin/lib/aikey.mjs
MediumShips Compressed Blobdist-renderer/icon.rar
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptobin/lib/teams.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNested Archive Needs Inspectiondist-renderer/icon.rar
LowCopyleft License