registry  /  agent-baba-d  /  1.12.0

agent-baba-d@1.12.0

Flexible AI inference CLI tool supporting local models and cloud APIs

AI Security Review

scanned 3h ago · by lpm-firewall-ai

This is a user-invoked AI development CLI with real shell, npm publishing, and GitHub release capabilities. No install-time execution or covert exfiltration path is established.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs an orchestration/workflow command, especially `workflow run publish-release`, or a runner task.
Impact
May execute shell commands in the current project, publish to npm, and create GitHub releases using available user credentials.
Mechanism
LLM/task-directed shell execution plus authenticated package and release actions.
Rationale
Source inspection does not show malware, lifecycle abuse, covert exfiltration, or foreign AI-agent control-surface mutation. It does expose high-impact, LLM-directed developer automation without an explicit confirmation gate, which is a dangerous dual-use capability.
Evidence
package.jsondist/index.jsdist/workflow/templates.jsdist/agents/orchestrator.jsdist/agents/agents/runner.jsdist/agents/agents/package-agent.jsdist/agents/agents/github-release-agent.jsdist/agents/agents/tester.jsdist/plugins/agent-plugin.jsdist/config/manager.jsCHANGELOG.md~/.buff/buffconfig.json
Network endpoints6
api.github.com/repos/${repo}/releasesintegrate.api.nvidia.com/v1generativelanguage.googleapis.com/v1beta/modelsopenrouter.ai/api/v1api.groq.com/openai/v1localhost:11434

Decision evidence

public snapshot
AI called this Suspicious at 89.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `dist/agents/agents/runner.js` passes task/LLM-derived commands to `execSync` with `/bin/sh`.
  • `dist/workflow/templates.js` exposes a user-invoked `publish-release` workflow that selects the package agent.
  • `dist/agents/agents/package-agent.js` runs `npm publish` and writes the target project's `package.json`.
  • `dist/agents/agents/github-release-agent.js` can use `GH_TOKEN`/`GITHUB_API_KEY` to create GitHub releases.
  • `dist/agents/agents/tester.js` runs `npm install` and project test scripts in a copied sandbox.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall` hook.
  • `dist/index.js` only starts the CLI after direct invocation.
  • Network adapters target declared LLM providers and the GitHub API; no covert endpoint was found.
  • Plugin loading is limited to explicit `plugins` commands and `~/.buff/agents` files.
  • No credential harvesting, stealth persistence, or destructive host action was found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 58 file(s), 374 KB of source, external domains: api.github.com, api.groq.com, generativelanguage.googleapis.com, github.com, huggingface.co, integrate.api.nvidia.com, openrouter.ai, python.org

Source & flagged code

9 flagged · loading source
README.mdView file
148patternName = google_api_key severity = high line = 148 matchedText = GEMINI_A...xxxx
High
High Secret

Package contains a high-severity secret pattern.

README.mdView on unpkg · L148
148patternName = google_api_key severity = high line = 148 matchedText = GEMINI_A...xxxx
High
Secret Pattern

Google API key in README.md

README.mdView on unpkg · L148
dist/agents/agents/git-agent.jsView file
17*/ L18: import { execSync } from 'node:child_process'; L19: import { writeFileSync, unlinkSync, mkdtempSync } from 'node:fs';
High
Child Process

Package source references child process execution.

dist/agents/agents/git-agent.jsView on unpkg · L17
dist/agents/agents/runner.jsView file
67// Use shell so we can run python, node, bash scripts etc. L68: shell: platform() === 'win32' ? (process.env.COMSPEC || 'cmd.exe') : '/bin/sh', L69: // Max buffer size: 1 MB
High
Shell

Package source references shell execution.

dist/agents/agents/runner.jsView on unpkg · L67
dist/plugins/agent-plugin.jsView file
47// Dynamic import for ESM compatibility L48: const plugin = await import(pluginPath); L49: if (!plugin.default || !plugin.default.metadata) {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/plugins/agent-plugin.jsView on unpkg · L47
dist/memory/embedder.jsView file
111try { L112: const parsed = JSON.parse(trimmed); L113: if (isValidEmbedding(parsed))
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/memory/embedder.jsView on unpkg · L111
dist/agents/agents/package-agent.jsView file
16import { join } from 'node:path'; L17: import { execSync } from 'node:child_process'; L18: import { Agent } from '../agent.js'; ... L43: name = 'Package'; L44: description = 'Manages package version, build, and npm publish'; L45: async execute(context, callLLM) { ... L87: async bumpVersion(context, description) { L88: const pkgPath = join(context.workingDirectory, 'package.json'); L89: if (!existsSync(pkgPath)) { ... L91: } L92: const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8')); L93: const currentVersion = pkg.version || '0.0.0';
Critical
Npm Publish Worm

Source mutates package metadata and republishes itself to npm.

dist/agents/agents/package-agent.jsView on unpkg · L16
16Trigger-reachable chain: manifest.main -> dist/index.js -> dist/agents/orchestrator.js -> dist/agents/agents/package-agent.js L16: import { join } from 'node:path'; L17: import { execSync } from 'node:child_process'; L18: import { Agent } from '../agent.js'; ... L43: name = 'Package'; L44: description = 'Manages package version, build, and npm publish'; L45: async execute(context, callLLM) { ... L87: async bumpVersion(context, description) { L88: const pkgPath = join(context.workingDirectory, 'package.json'); L89: if (!existsSync(pkgPath)) { ... L91: } L92: const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8')); L93: const currentVersion = pkg.version || '0.0.0';
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/agents/agents/package-agent.jsView on unpkg · L16
dist/agents/agents/tester.jsView file
198try { L199: return execSync('npm install --prefer-offline --no-audit --no-fund 2>&1', { L200: cwd: sandboxPath,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/agents/agents/tester.jsView on unpkg · L198

Findings

2 Critical5 High4 Medium5 Low
CriticalNpm Publish Wormdist/agents/agents/package-agent.js
CriticalTrigger Reachable Dangerous Capabilitydist/agents/agents/package-agent.js
HighHigh SecretREADME.md
HighChild Processdist/agents/agents/git-agent.js
HighShelldist/agents/agents/runner.js
HighRuntime Package Installdist/agents/agents/tester.js
HighSecret PatternREADME.md
MediumDynamic Requiredist/plugins/agent-plugin.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/memory/embedder.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings