registry  /  @yancyyu/agentcli  /  1.9.25

@yancyyu/agentcli@1.9.25

AgentCli: AI 工程协作平台,本地优先的用量采集与团队协作工具。

AI Security Review

scanned 2h ago · by lpm-firewall-ai

The package extracts decrypted Lark CLI credentials from user-local storage and uploads them to its AgentBus service. Reporting is automatically scheduled by the usage worker and silently triggered after Digital Worker authorization.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review
Trigger
Run `agentcli usage start`, a running usage worker interval, or Digital Worker authorization.
Impact
Exfiltrates reusable Lark app secrets and access/refresh tokens.
Mechanism
local Lark credential harvesting followed by authenticated remote POST
Attack narrative
On macOS or Windows, the reporter reads Lark CLI credential material, including the app secret and access/refresh tokens, from the CLI's local keychain-backed storage. It refreshes eligible authorizations, batches the plaintext credentials, and posts them to the AgentBus endpoint using the package's saved service token. The package schedules this during normal usage telemetry and also launches it silently after a Digital Worker authorization flow.
Rationale
Source directly implements credential harvesting and remote transmission of reusable Lark secrets. The user-facing telemetry and Digital Worker paths make this behavior concrete despite the absence of postinstall exfiltration.
Evidence
package.jsonscripts/report-lark-credentials-once.mjsbin/lib/larkSecrets.mjsbin/lib/navigationCommand.mjssrc/main/telemetry/larkCredentials.tssrc/main/telemetry/worker.ts~/Library/Application Support/lark-cli/*.enc~/.lark-cli/config.json
Network endpoints1
agentbus.skg.com/api/v1/feishu/lark-cli/credentials/batch

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `src/main/telemetry/larkCredentials.ts` decrypts lark-cli app secrets and access/refresh tokens from local stores.
  • It builds a payload containing `app_secret`, `access_token`, and `refresh_token` and POSTs it to `/api/v1/feishu/lark-cli/credentials/batch`.
  • `src/shared/constants/cloudConfig.mjs` defaults the recipient to `https://agentbus.skg.com`.
  • `src/main/telemetry/worker.ts` runs Lark credential reporting on `agentcli usage start` and each telemetry-worker interval.
  • `bin/lib/navigationCommand.mjs` silently detaches credential reporting after Digital Worker authorization.
  • `package.json` ships an explicit `lark:report-once` script that invokes the reporter.
Evidence against
  • The credential POST requires a saved AgentBus bearer token and a local lark-cli authorization.
  • `bin/postinstall.mjs` itself seeds package workflows and migrates package data; it does not invoke the credential reporter.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
CopyleftLicense
scanned 1,126 file(s), 10.3 MB of source, external domains: 0.0.0.0, 127.0.0.1, 159.75.231.98, 47.112.24.153, agentbus.skg.com, api.anthropic.com, api.dicebear.com, api.example.com, api.github.com, cdn.jsdelivr.net, chevrotain.io, configured.example.test, en.wikipedia.org, github.com, jquery.org, langium.org, monitor.test, override.example.test, raw.githubusercontent.com, react.dev, redis.example.com, redis.lazymind.vip, registry.npmjs.org, tldrlegal.com, voicetext.site, www.w3.org, yancyuu.github.io, yancyyu.github.io
Oversized source lightweight scan
dist-renderer/assets/index-CpqPP6A-.js6.24 MB file, sampled 256 KB
NetworkChildProcessHighEntropyStringsMinifiedUrlStringsreact.dev

Source & flagged code

19 flagged · loading source
package.jsonView file
scripts.postinstall = node ./bin/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./bin/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/kill-dev.jsView file
1#!/usr/bin/env node L2: import { spawnSync } from 'child_process'; L3:
High
Child Process

Package source references child process execution.

bin/kill-dev.jsView on unpkg · L1
8stdio: 'inherit', L9: shell: true, L10: });
High
Shell

Package source references shell execution.

bin/kill-dev.jsView on unpkg · L8
bin/lib/navigationCommand.mjsView file
134L135: const require = createRequire(import.meta.url); L136:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/lib/navigationCommand.mjsView on unpkg · L134
bin/lib/teams.mjsView file
70if (!raw) return ''; L71: if (raw === '~') return os.homedir(); L72: if (raw.startsWith('~/')) return path.join(os.homedir(), raw.slice(2));
Low
Weak Crypto

Package source references weak cryptographic algorithms.

bin/lib/teams.mjsView on unpkg · L70
bin/lib/usageCommand.mjsView file
65import { existsSync, mkdirSync, writeFileSync, readFileSync, unlinkSync, openSync, closeSync, statSync } from 'node:fs'; L66: import { spawn, execSync } from 'node:child_process'; L67: import os from 'node:os'; ... L73: function fitProgressLine(text) { L74: const columns = Math.max(40, Number(process.stdout.columns || 80)); L75: const maxWidth = Math.max(20, columns - 2); ... L112: running: Boolean(server?.running), L113: url: server?.url || `http://127.0.0.1:${port}`, L114: version: server?.version || '', ... L263: return lines.flatMap((line) => { L264: try { return [JSON.parse(line)]; } catch { return []; } L265: });
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

bin/lib/usageCommand.mjsView on unpkg · L65
bin/lib/auth.mjsView file
378async function openExternalUrl(url) { L379: const mode = process.env.OPENHERMIT_AUTH_OPEN_BROWSER || process.env.OPENHERMIT_OAUTH_OPEN_BROWSER; L380: if (mode === '0') return { opened: false, skipped: true }; L381: if (mode === 'fetch') { L382: await fetch(url, { redirect: 'follow', signal: AbortSignal.timeout(30_000) }); L383: return { opened: true, mode: 'fetch' }; ... L388: // as a single argument, so query characters (& ? =) need no shell quoting. L389: // The previous powershell `Start-Process -FilePath $args[0]` form exited L390: // non-zero and the browser silently never opened on Windows.
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

bin/lib/auth.mjsView on unpkg · L378
bin/postinstall.mjsView file
1Install-time AI-agent control hijack evidence: L3: import { L4: copyFileSync, L5: cpSync, L6: existsSync, L7: mkdirSync, L8: readFileSync, ... L11: rmSync, L12: writeFileSync, L13: } from 'node:fs'; ... L46: const bundledWorkflowsDir = path.join(packageRoot, 'src/main/services/system-manager/builtin-workflows'); L47: const hermitWorkflowDir = path.join(hermitHome, '.claude', 'workflow'); L48: const builtinWorkflowMarker = '<!-- hermit-builtin-workflow:v2-loop -->'; Payload evidence from src/renderer/features/CLAUDE.md: L1: # Renderer Features - Legacy Note L2:
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

bin/postinstall.mjsView on unpkg · L1
bin/lib/update.mjsView file
90try { L91: exec(`npm install -g ${BRAND.npmPackage}@latest --registry=https://registry.npmjs.org/`, { L92: stdio: 'inherit',
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/lib/update.mjsView on unpkg · L90
dist-renderer/icon.rarView file
path = dist-renderer/icon.rar kind = high_entropy_blob sizeBytes = 85506 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist-renderer/icon.rarView on unpkg
path = dist-renderer/icon.rar kind = compressed_blob sizeBytes = 85506 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

dist-renderer/icon.rarView on unpkg
path = dist-renderer/icon.rar kind = nested_archive_needs_inspection sizeBytes = 85506 magicHex = [redacted]
Low
Nested Archive Needs Inspection

Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.

dist-renderer/icon.rarView on unpkg
dist-renderer/assets/index-CpqPP6A-.jsView file
path = dist-renderer/assets/index-CpqPP6A-.js kind = oversized_source_file sizeBytes = 6543246 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist-renderer/assets/index-CpqPP6A-.jsView on unpkg
bin/lib/daemon.mjsView file
matchType = normalized_sha256 matchedPackage = @yancyyu/agentcli@1.9.14 matchedPath = bin/lib/daemon.mjs matchedIdentity = npm:QHlhbmN5eXUvYWdlbnRjbGk:1.9.14 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

bin/lib/daemon.mjsView on unpkg
bin/lib/feishuAssistant.mjsView file
matchType = normalized_sha256 matchedPackage = @yancyyu/agentcli@1.9.14 matchedPath = bin/lib/feishuAssistant.mjs matchedIdentity = npm:QHlhbmN5eXUvYWdlbnRjbGk:1.9.14 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

bin/lib/feishuAssistant.mjsView on unpkg
dist-renderer/assets/cytoscape.esm-DsxaTqgk.jsView file
matchType = normalized_sha256 matchedPackage = @yancyyu/agentcli@1.9.14 matchedPath = dist-renderer/assets/cytoscape.esm-DsxaTqgk.js matchedIdentity = npm:QHlhbmN5eXUvYWdlbnRjbGk:1.9.14 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist-renderer/assets/cytoscape.esm-DsxaTqgk.jsView on unpkg
dist-renderer/assets/diagram-PSM6KHXK-XvynTTMh.jsView file
matchType = normalized_sha256 matchedPackage = @yancyyu/agentcli@1.9.14 matchedPath = dist-renderer/assets/diagram-PSM6KHXK-DgXV3pP1.js matchedIdentity = npm:QHlhbmN5eXUvYWdlbnRjbGk:1.9.14 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist-renderer/assets/diagram-PSM6KHXK-XvynTTMh.jsView on unpkg
dist-renderer/assets/flowDiagram-NV44I4VS-yyKwBM6e.jsView file
matchType = normalized_sha256 matchedPackage = @yancyyu/agentcli@1.9.14 matchedPath = dist-renderer/assets/flowDiagram-NV44I4VS-C1JwwHb7.js matchedIdentity = npm:QHlhbmN5eXUvYWdlbnRjbGk:1.9.14 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist-renderer/assets/flowDiagram-NV44I4VS-yyKwBM6e.jsView on unpkg

Findings

1 Critical12 High7 Medium8 Low
CriticalAi Agent Control Hijackbin/postinstall.mjs
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processbin/kill-dev.js
HighShellbin/kill-dev.js
HighSame File Env Network Executionbin/lib/auth.mjs
HighRuntime Package Installbin/lib/update.mjs
HighShips High Entropy Blobdist-renderer/icon.rar
HighOversized Source Filedist-renderer/assets/index-CpqPP6A-.js
HighKnown Malware Source Similaritybin/lib/daemon.mjs
HighKnown Malware Source Similaritybin/lib/feishuAssistant.mjs
HighKnown Malware Source Similaritydist-renderer/assets/cytoscape.esm-DsxaTqgk.js
HighKnown Malware Source Similaritydist-renderer/assets/diagram-PSM6KHXK-XvynTTMh.js
HighKnown Malware Source Similaritydist-renderer/assets/flowDiagram-NV44I4VS-yyKwBM6e.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirebin/lib/navigationCommand.mjs
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencebin/lib/usageCommand.mjs
MediumShips Compressed Blobdist-renderer/icon.rar
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptobin/lib/teams.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNested Archive Needs Inspectiondist-renderer/icon.rar
LowCopyleft License