registry  /  @yancyyu/agentcli  /  1.9.7

@yancyyu/agentcli@1.9.7

AgentCli: AI 工程协作平台,本地优先的用量采集与团队协作工具。

AI Security Review

scanned 3d ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
npm postinstall; separately, an explicit `agentcli aikey` command.
Impact
The package creates files under `~/.hermit`; the explicit command may redirect local Claude/Codex clients to a user-selected gateway.
Mechanism
First-party workflow provisioning plus user-invoked AI runtime credential configuration.
Rationale
Source inspection does not substantiate the scanner's malicious verdict, but explicit mutation of Claude/Codex credentials and shell startup files remains a real high-impact capability. Flag as warn rather than block because the lifecycle script does not mutate foreign/broad AI-agent control surfaces.
Evidence
package.jsonbin/postinstall.mjsbin/lib/aikey.mjssrc/main/services/system-manager/builtin-workflows/compliance-audit.mdsrc/main/services/system-manager/builtin-workflows/~/.hermit/hermit-bridge/~/.hermit/.claude/workflow/~/.claude/settings.json~/.codex/auth.json~/.codex/config.toml

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `package.json` runs `bin/postinstall.mjs` on install.
  • `bin/postinstall.mjs` copies package workflows into `~/.hermit/.claude/workflow`.
  • `bin/lib/aikey.mjs` explicitly supports writing claimed keys into `~/.claude/settings.json` and `~/.codex/*`.
  • `bin/lib/aikey.mjs` can install a shell startup hook after its command flow.
Evidence against
  • Postinstall only migrates and writes under package-owned `~/.hermit`; it does not alter global `~/.claude` or `~/.codex`.
  • Installed workflow sources are audit-oriented and instruct read-only, non-destructive operation.
  • No install-time network request, credential harvesting, shell execution, or remote-payload execution was found.
  • Foreign agent-config writes are in the explicit `aikey` command path, not lifecycle code.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
CopyleftLicense
scanned 1,120 file(s), 10.2 MB of source, external domains: 0.0.0.0, 127.0.0.1, api.anthropic.com, api.dicebear.com, api.example.com, api.github.com, cdn.jsdelivr.net, chevrotain.io, en.wikipedia.org, github.com, jquery.org, langium.org, raw.githubusercontent.com, react.dev, redis.example.com, redis.lazymind.vip, tldrlegal.com, voicetext.site, www.w3.org, yancyuu.github.io, yancyyu.github.io
Oversized source lightweight scan
dist-renderer/assets/index-Bo4xGbxH.js6.24 MB file, sampled 256 KB
NetworkChildProcessHighEntropyStringsMinifiedUrlStringsreact.dev

Source & flagged code

15 flagged · loading source
package.jsonView file
scripts.postinstall = node ./bin/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./bin/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/kill-dev.jsView file
1#!/usr/bin/env node L2: import { spawnSync } from 'child_process'; L3:
High
Child Process

Package source references child process execution.

bin/kill-dev.jsView on unpkg · L1
8stdio: 'inherit', L9: shell: true, L10: });
High
Shell

Package source references shell execution.

bin/kill-dev.jsView on unpkg · L8
bin/lib/navigationCommand.mjsView file
133L134: const require = createRequire(import.meta.url); L135:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/lib/navigationCommand.mjsView on unpkg · L133
bin/lib/teams.mjsView file
70if (!raw) return ''; L71: if (raw === '~') return os.homedir(); L72: if (raw.startsWith('~/')) return path.join(os.homedir(), raw.slice(2));
Low
Weak Crypto

Package source references weak cryptographic algorithms.

bin/lib/teams.mjsView on unpkg · L70
bin/lib/aikey.mjsView file
116L117: const home = os.homedir(); L118: let rcFile; L119: if (isZsh) { L120: rcFile = path.join(home, '.zshrc'); L121: } else { ... L157: try { L158: raw = JSON.parse(readFileSync(mockPath, 'utf-8')); L159: } catch { ... L169: if (!ctx) return null; L170: const res = await fetch(`${ctx.baseUrl}/api/v1/hermit/ai-key`, { L171: headers: { Authorization: `Bearer ${ctx.token}`, Accept: 'application/json' },
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

bin/lib/aikey.mjsView on unpkg · L116
bin/lib/auth.mjsView file
372async function openExternalUrl(url) { L373: const mode = process.env.OPENHERMIT_AUTH_OPEN_BROWSER || process.env.OPENHERMIT_OAUTH_OPEN_BROWSER; L374: if (mode === '0') return { opened: false, skipped: true }; L375: if (mode === 'fetch') { L376: await fetch(url, { redirect: 'follow', signal: AbortSignal.timeout(30_000) }); L377: return { opened: true, mode: 'fetch' }; ... L382: // as a single argument, so query characters (& ? =) need no shell quoting. L383: // The previous powershell `Start-Process -FilePath $args[0]` form exited L384: // non-zero and the browser silently never opened on Windows.
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

bin/lib/auth.mjsView on unpkg · L372
bin/postinstall.mjsView file
1Install-time AI-agent control hijack evidence: L3: import { L4: copyFileSync, L5: cpSync, L6: existsSync, L7: mkdirSync, L8: readFileSync, ... L11: rmSync, L12: writeFileSync, L13: } from 'node:fs'; ... L46: const bundledWorkflowsDir = path.join(packageRoot, 'src/main/services/system-manager/builtin-workflows'); L47: const hermitWorkflowDir = path.join(hermitHome, '.claude', 'workflow'); L48: const builtinWorkflowMarker = '<!-- hermit-builtin-workflow:v2-loop -->'; Payload evidence from src/renderer/features/CLAUDE.md: L1: # Renderer Features - Legacy Note L2:
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

bin/postinstall.mjsView on unpkg · L1
bin/lib/update.mjsView file
58try { L59: execSync(`npm install -g ${BRAND.npmPackage}@latest`, { stdio: 'inherit' }); L60: [redacted]();
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/lib/update.mjsView on unpkg · L58
dist-renderer/icon.rarView file
path = dist-renderer/icon.rar kind = high_entropy_blob sizeBytes = 85506 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist-renderer/icon.rarView on unpkg
path = dist-renderer/icon.rar kind = compressed_blob sizeBytes = 85506 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

dist-renderer/icon.rarView on unpkg
path = dist-renderer/icon.rar kind = nested_archive_needs_inspection sizeBytes = 85506 magicHex = [redacted]
Low
Nested Archive Needs Inspection

Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.

dist-renderer/icon.rarView on unpkg
dist-renderer/assets/index-Bo4xGbxH.jsView file
path = dist-renderer/assets/index-Bo4xGbxH.js kind = oversized_source_file sizeBytes = 6543243 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist-renderer/assets/index-Bo4xGbxH.jsView on unpkg
bin/hermit.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = @yancyyu/agentcli@1.9.6 matchedIdentity = npm:QHlhbmN5eXUvYWdlbnRjbGk:1.9.6 similarity = 0.867 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bin/hermit.mjsView on unpkg

Findings

2 Critical7 High7 Medium8 Low
CriticalAi Agent Control Hijackbin/postinstall.mjs
CriticalPrevious Version Dangerous Deltabin/hermit.mjs
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processbin/kill-dev.js
HighShellbin/kill-dev.js
HighSame File Env Network Executionbin/lib/auth.mjs
HighRuntime Package Installbin/lib/update.mjs
HighShips High Entropy Blobdist-renderer/icon.rar
HighOversized Source Filedist-renderer/assets/index-Bo4xGbxH.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirebin/lib/navigationCommand.mjs
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencebin/lib/aikey.mjs
MediumShips Compressed Blobdist-renderer/icon.rar
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptobin/lib/teams.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNested Archive Needs Inspectiondist-renderer/icon.rar
LowCopyleft License