registry  /  agent-baba-d  /  1.3.1

agent-baba-d@1.3.1

Flexible AI inference CLI tool supporting local models and cloud APIs

AI Security Review

scanned 2d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The CLI's network, file-write, and local-process capabilities are explicit user-command features for AI inference and editing.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs `agent-baba-d` commands such as `chat`, `edit`, `plan`, or `models`.
Impact
User-provided prompts or selected file content may be sent to the configured inference provider; `edit` can overwrite the explicitly supplied file.
Mechanism
User-directed inference requests, optional local model execution, and selected-file editing.
Rationale
Source implements a user-invoked AI CLI with declared cloud/local providers. The scanner signals are explained by normal API-key configuration and provider requests; no install-time execution or concrete malicious chain was found.
Evidence
package.jsondist/index.jsdist/utils/env.jsdist/config/manager.jsdist/inference/local-adapter.jsdist/inference/gemini-adapter.jsdist/inference/nim-adapter.jsdist/inference/openrouter-adapter.jsdist/inference/groq-adapter.jsdist/cli/edit.jsdist/context/cache.js.env~/.buff/.env~/.buff/buffconfig.json~/.buff/cache.db
Network endpoints5
localhost:11434integrate.api.nvidia.com/v1generativelanguage.googleapis.com/v1beta/modelsopenrouter.ai/api/v1api.groq.com/openai/v1

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `dist/cli/edit.js` sends a user-selected file's content to the chosen inference provider and overwrites that same path only after explicit `edit` invocation.
Evidence against
  • `package.json` has no preinstall, install, or postinstall hook.
  • `dist/index.js` only initializes the Commander CLI when its executable is run.
  • `dist/utils/env.js` reads API keys only to configure declared inference providers.
  • `dist/inference/*.js` sends prompts only to named AI-provider endpoints or local Ollama.
  • No source reads credential stores, mutates agent-control files, downloads payloads, or uses eval/shell execution.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 23 file(s), 81.5 KB of source, external domains: api.groq.com, generativelanguage.googleapis.com, github.com, huggingface.co, integrate.api.nvidia.com, openrouter.ai, python.org

Source & flagged code

2 flagged · loading source
README.mdView file
148patternName = google_api_key severity = high line = 148 matchedText = GEMINI_A...xxxx
High
High Secret

Package contains a high-severity secret pattern.

README.mdView on unpkg · L148
148patternName = google_api_key severity = high line = 148 matchedText = GEMINI_A...xxxx
High
Secret Pattern

Google API key in README.md

README.mdView on unpkg · L148

Findings

2 High2 Medium4 Low
HighHigh SecretREADME.md
HighSecret PatternREADME.md
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings