registry  /  agent-baba-d  /  1.8.0

agent-baba-d@1.8.0

Flexible AI inference CLI tool supporting local models and cloud APIs

AI Security Review

scanned 4h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User invokes the `execute` CLI command with a goal that produces corresponding agent tasks.
Impact
A malicious or prompt-injected task plan could execute commands or make project/release changes under the invoking user's permissions.
Mechanism
LLM-directed task dispatch to shell, npm publishing, and GitHub release operations.
Rationale
The scanner’s worm claim overstates explicit publishing functionality, but source confirms broad LLM-directed command execution without an approval boundary. This warrants a warning for dangerous capability rather than a block for malware.
Evidence
package.jsondist/index.jsdist/cli/execute.jsdist/agents/orchestrator.jsdist/agents/agents/runner.jsdist/agents/agents/package-agent.jsdist/agents/agents/tester.jsdist/agents/agents/github-release-agent.jsdist/plugins/agent-plugin.js
Network endpoints1
api.github.com/repos/${repo}/releases

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `dist/agents/orchestrator.js` executes planner-produced task types without a confirmation gate.
  • `dist/agents/agents/runner.js` executes commands parsed from tasks or generated by the LLM via `execSync`.
  • `dist/agents/agents/package-agent.js` can alter a project `package.json` and run `npm publish` when a package task requests publishing.
  • `dist/agents/agents/tester.js` installs dependencies and runs a selected test command in a copied sandbox.
  • `dist/agents/agents/github-release-agent.js` can send a bearer token to `api.github.com` to create releases.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall` hook.
  • `dist/index.js` only starts the CLI after user invocation; importing it exposes exports but also runs CLI parsing only as its executable entrypoint.
  • No source evidence of credential harvesting, unrelated endpoint exfiltration, hidden payload download, or destructive install-time behavior.
  • `dist/plugins/agent-plugin.js` uses the package-owned `~/.buff` directory rather than mutating foreign AI-agent configuration.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 56 file(s), 354 KB of source, external domains: api.github.com, api.groq.com, generativelanguage.googleapis.com, github.com, huggingface.co, integrate.api.nvidia.com, openrouter.ai, python.org

Source & flagged code

10 flagged · loading source
README.mdView file
148patternName = google_api_key severity = high line = 148 matchedText = GEMINI_A...xxxx
High
High Secret

Package contains a high-severity secret pattern.

README.mdView on unpkg · L148
148patternName = google_api_key severity = high line = 148 matchedText = GEMINI_A...xxxx
High
Secret Pattern

Google API key in README.md

README.mdView on unpkg · L148
dist/agents/agents/git-agent.jsView file
17*/ L18: import { execSync } from 'node:child_process'; L19: import { writeFileSync, unlinkSync, mkdtempSync } from 'node:fs';
High
Child Process

Package source references child process execution.

dist/agents/agents/git-agent.jsView on unpkg · L17
dist/agents/agents/runner.jsView file
67// Use shell so we can run python, node, bash scripts etc. L68: shell: platform() === 'win32' ? (process.env.COMSPEC || 'cmd.exe') : '/bin/sh', L69: // Max buffer size: 1 MB
High
Shell

Package source references shell execution.

dist/agents/agents/runner.jsView on unpkg · L67
dist/plugins/agent-plugin.jsView file
47// Dynamic import for ESM compatibility L48: const plugin = await import(pluginPath); L49: if (!plugin.default || !plugin.default.metadata) {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/plugins/agent-plugin.jsView on unpkg · L47
dist/memory/embedder.jsView file
111try { L112: const parsed = JSON.parse(trimmed); L113: if (isValidEmbedding(parsed))
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/memory/embedder.jsView on unpkg · L111
dist/agents/agents/package-agent.jsView file
16import { join } from 'node:path'; L17: import { execSync } from 'node:child_process'; L18: import { Agent } from '../agent.js'; ... L43: name = 'Package'; L44: description = 'Manages package version, build, and npm publish'; L45: async execute(context, callLLM) { ... L87: async bumpVersion(context, description) { L88: const pkgPath = join(context.workingDirectory, 'package.json'); L89: if (!existsSync(pkgPath)) { ... L91: } L92: const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8')); L93: const currentVersion = pkg.version || '0.0.0';
Critical
Npm Publish Worm

Source mutates package metadata and republishes itself to npm.

dist/agents/agents/package-agent.jsView on unpkg · L16
16Trigger-reachable chain: manifest.main -> dist/index.js -> dist/agents/orchestrator.js -> dist/agents/agents/package-agent.js L16: import { join } from 'node:path'; L17: import { execSync } from 'node:child_process'; L18: import { Agent } from '../agent.js'; ... L43: name = 'Package'; L44: description = 'Manages package version, build, and npm publish'; L45: async execute(context, callLLM) { ... L87: async bumpVersion(context, description) { L88: const pkgPath = join(context.workingDirectory, 'package.json'); L89: if (!existsSync(pkgPath)) { ... L91: } L92: const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8')); L93: const currentVersion = pkg.version || '0.0.0';
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/agents/agents/package-agent.jsView on unpkg · L16
dist/agents/agents/tester.jsView file
198try { L199: return execSync('npm install --prefer-offline --no-audit --no-fund 2>&1', { L200: cwd: sandboxPath,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/agents/agents/tester.jsView on unpkg · L198
dist/agents/agents/github-release-agent.jsView file
matchType = previous_version_dangerous_delta matchedPackage = agent-baba-d@1.3.1 matchedIdentity = npm:YWdlbnQtYmFiYS1k:1.3.1 similarity = 0.524 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/agents/agents/github-release-agent.jsView on unpkg

Findings

3 Critical5 High4 Medium5 Low
CriticalNpm Publish Wormdist/agents/agents/package-agent.js
CriticalTrigger Reachable Dangerous Capabilitydist/agents/agents/package-agent.js
CriticalPrevious Version Dangerous Deltadist/agents/agents/github-release-agent.js
HighHigh SecretREADME.md
HighChild Processdist/agents/agents/git-agent.js
HighShelldist/agents/agents/runner.js
HighRuntime Package Installdist/agents/agents/tester.js
HighSecret PatternREADME.md
MediumDynamic Requiredist/plugins/agent-plugin.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/memory/embedder.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings