registry  /  @yancyyu/agentcli  /  1.9.6

@yancyyu/agentcli@1.9.6

AgentCli: AI 工程协作平台,本地优先的用量采集与团队协作工具。

AI Security Review

scanned 4d ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Install-time setup mutates a local Hermit agent workflow/control area by copying package-supplied workflows. This is first-party package-owned agent extension setup, not confirmed hijack of a foreign global AI agent surface.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install postinstall; later explicit agentcli runtime/usage/update commands
Impact
Adds or refreshes Hermit workflow prompts and migrates Hermit bridge config; runtime may start local services and, on user invocation, install Claude Code CLI or upload usage when enabled.
Mechanism
postinstall workflow seeding and runtime agent-service setup
Rationale
Source inspection supports a warning for first-party package-owned agent extension setup at install time, but not a publish block: no unconsented foreign/broad AI-agent hijack, install-time exfiltration, remote payload execution, or destructive chain was found. Scanner findings for dynamic/network/package-manager use align with CLI update/runtime/upload features that are user-invoked or gated.
Evidence
package.jsonbin/postinstall.mjsbin/hermit.mjsbin/lib/runtime.mjsbin/lib/update.mjsbin/lib/auth.mjsbin/lib/uploadState.mjssrc/main/services/system-manager/builtin-workflows/compliance-audit.mdsrc/main/services/system-manager/builtin-workflows/team-asset-dry-run-classifier.js~/.hermit/.claude/workflow/*~/.hermit/hermit-bridge/config.toml~/.hermit/hermit-bridge/data~/.hermit/cc-connect/config.toml~/.hermit/cc-connect/data
Network endpoints4
127.0.0.1:9820127.0.0.1:5680api.github.com/repos/${BRAND.githubRepo}/releases/latest159.75.231.98:8088

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json runs postinstall: node ./bin/postinstall.mjs
  • bin/postinstall.mjs seeds bundled workflow .md/.js files into HERMIT_HOME/.claude/workflow
  • bin/postinstall.mjs migrates/removes legacy ~/.hermit/cc-connect runtime config/data
  • bin/lib/runtime.mjs can auto-install @anthropic-ai/claude-code globally when runtime starts
  • bin/lib/auth.mjs defaults cloud base URL to http://159.75.231.98:8088 for opt-in auth/upload features
Evidence against
  • Workflow contents inspected are mostly read-only/audit/proposal prompts with explicit no-secret/no-destructive boundaries
  • Postinstall writes under package-owned HERMIT_HOME/.claude/workflow, not broad ~/.claude commands/settings
  • No obfuscated payload, credential harvesting, or install-time network fetch found
  • Conversation upload is gated by settings/login and resolveConversationUploadEnabled defaults false
  • bin/lib/update.mjs update/npm install behavior is explicit user command
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
CopyleftLicense
scanned 1,113 file(s), 10.2 MB of source, external domains: 0.0.0.0, 127.0.0.1, api.anthropic.com, api.dicebear.com, api.example.com, api.github.com, cdn.jsdelivr.net, chevrotain.io, en.wikipedia.org, github.com, jquery.org, langium.org, qyapi.weixin.qq.com, raw.githubusercontent.com, react.dev, redis.example.com, redis.lazymind.vip, tldrlegal.com, voicetext.site, www.w3.org, yancyuu.github.io, yancyyu.github.io
Oversized source lightweight scan
dist-renderer/assets/index-h-ET_ve1.js6.24 MB file, sampled 256 KB
NetworkChildProcessHighEntropyStringsMinifiedUrlStringsreact.dev

Source & flagged code

14 flagged · loading source
package.jsonView file
scripts.postinstall = node ./bin/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./bin/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/kill-dev.jsView file
1#!/usr/bin/env node L2: import { spawnSync } from 'child_process'; L3:
High
Child Process

Package source references child process execution.

bin/kill-dev.jsView on unpkg · L1
8stdio: 'inherit', L9: shell: true, L10: });
High
Shell

Package source references shell execution.

bin/kill-dev.jsView on unpkg · L8
dist-renderer/assets/livescript-BwQOo05w.jsView file
1var f=function(e,n){var g=n.next||"start";{n.next=n.next;var k=x[g];if(k.splice){for(var l=0;l<k.length;++l){var t=k[l];if(t.regex&&e.match(t.regex))return n.next=t.next||n.next,t....
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist-renderer/assets/livescript-BwQOo05w.jsView on unpkg · L1
bin/lib/teams.mjsView file
70if (!raw) return ''; L71: if (raw === '~') return os.homedir(); L72: if (raw.startsWith('~/')) return path.join(os.homedir(), raw.slice(2));
Low
Weak Crypto

Package source references weak cryptographic algorithms.

bin/lib/teams.mjsView on unpkg · L70
bin/lib/aikey.mjsView file
116L117: const home = os.homedir(); L118: let rcFile; L119: if (isZsh) { L120: rcFile = path.join(home, '.zshrc'); L121: } else { ... L157: try { L158: raw = JSON.parse(readFileSync(mockPath, 'utf-8')); L159: } catch { ... L169: if (!ctx) return null; L170: const res = await fetch(`${ctx.baseUrl}/api/v1/hermit/ai-key`, { L171: headers: { Authorization: `Bearer ${ctx.token}`, Accept: 'application/json' },
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

bin/lib/aikey.mjsView on unpkg · L116
bin/lib/auth.mjsView file
372async function openExternalUrl(url) { L373: const mode = process.env.OPENHERMIT_AUTH_OPEN_BROWSER || process.env.OPENHERMIT_OAUTH_OPEN_BROWSER; L374: if (mode === '0') return { opened: false, skipped: true }; L375: if (mode === 'fetch') { L376: await fetch(url, { redirect: 'follow', signal: AbortSignal.timeout(30_000) }); L377: return { opened: true, mode: 'fetch' }; ... L382: // as a single argument, so query characters (& ? =) need no shell quoting. L383: // The previous powershell `Start-Process -FilePath $args[0]` form exited L384: // non-zero and the browser silently never opened on Windows.
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

bin/lib/auth.mjsView on unpkg · L372
bin/postinstall.mjsView file
1Install-time AI-agent control hijack evidence: L3: import { L4: copyFileSync, L5: cpSync, L6: existsSync, L7: mkdirSync, L8: readFileSync, ... L11: rmSync, L12: writeFileSync, L13: } from 'node:fs'; ... L46: const bundledWorkflowsDir = path.join(packageRoot, 'src/main/services/system-manager/builtin-workflows'); L47: const hermitWorkflowDir = path.join(hermitHome, '.claude', 'workflow'); L48: const builtinWorkflowMarker = '<!-- hermit-builtin-workflow:v2-loop -->'; Payload evidence from src/renderer/features/CLAUDE.md: L1: # Renderer Features - Legacy Note L2:
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

bin/postinstall.mjsView on unpkg · L1
bin/lib/update.mjsView file
58try { L59: execSync(`npm install -g ${BRAND.npmPackage}@latest`, { stdio: 'inherit' }); L60: [redacted]();
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/lib/update.mjsView on unpkg · L58
dist-renderer/icon.rarView file
path = dist-renderer/icon.rar kind = high_entropy_blob sizeBytes = 85506 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist-renderer/icon.rarView on unpkg
path = dist-renderer/icon.rar kind = compressed_blob sizeBytes = 85506 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

dist-renderer/icon.rarView on unpkg
path = dist-renderer/icon.rar kind = nested_archive_needs_inspection sizeBytes = 85506 magicHex = [redacted]
Low
Nested Archive Needs Inspection

Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.

dist-renderer/icon.rarView on unpkg
dist-renderer/assets/index-h-ET_ve1.jsView file
path = dist-renderer/assets/index-h-ET_ve1.js kind = oversized_source_file sizeBytes = 6548154 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist-renderer/assets/index-h-ET_ve1.jsView on unpkg

Findings

1 Critical7 High7 Medium8 Low
CriticalAi Agent Control Hijackbin/postinstall.mjs
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processbin/kill-dev.js
HighShellbin/kill-dev.js
HighSame File Env Network Executionbin/lib/auth.mjs
HighRuntime Package Installbin/lib/update.mjs
HighShips High Entropy Blobdist-renderer/icon.rar
HighOversized Source Filedist-renderer/assets/index-h-ET_ve1.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist-renderer/assets/livescript-BwQOo05w.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencebin/lib/aikey.mjs
MediumShips Compressed Blobdist-renderer/icon.rar
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptobin/lib/teams.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNested Archive Needs Inspectiondist-renderer/icon.rar
LowCopyleft License