registry  /  agent-baba-d  /  1.9.0

agent-baba-d@1.9.0

Flexible AI inference CLI tool supporting local models and cloud APIs

AI Security Review

scanned 4h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The explicit multi-agent CLI can execute package publishing and project test installation. Its plugin command dynamically imports user-local agent files, but no install-time or covert package-triggered execution is present.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User runs `agent-baba-d execute` and a planner task selects `package` or `tester`, or explicitly runs the plugins command.
Impact
Can publish the current project, install its dependencies in a temp copy, or execute code the user placed in `~/.buff/agents/`.
Mechanism
LLM-planned shell-capable project automation and user-local plugin loading.
Rationale
This is not concrete package malware: high-risk actions are user-triggered and aligned with a development-agent CLI. The unchecked task-type dispatch and local dynamic plugin import leave meaningful automation risk, so a warning is warranted.
Evidence
package.jsondist/index.jsdist/agents/orchestrator.jsdist/agents/agents/package-agent.jsdist/agents/agents/tester.jsdist/plugins/agent-plugin.jsdist/inference/local-adapter.jsdist/config/manager.js
Network endpoints6
api.github.comapi.groq.com/openai/v1generativelanguage.googleapis.com/v1beta/modelsintegrate.api.nvidia.com/v1openrouter.ai/api/v1localhost:11434

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/agents/agents/package-agent.js` runs `npm publish` and edits the current project's `package.json` when a `package` task is executed.
  • `dist/agents/orchestrator.js` accepts planner-produced agent types without an allowlist and maps `package` to `PackageAgent`.
  • `dist/plugins/agent-plugin.js` imports every `.js` file in `~/.buff/agents/` when the explicit plugins command is used.
  • `dist/agents/agents/tester.js` copies a project and runs `npm install` plus its test script in a temporary sandbox.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall` hook; importing `dist/index.js` only starts the CLI parser.
  • Publishing, testing, and plugin discovery require explicit CLI/agent-task execution; no automatic invocation was found.
  • Network adapters send inference requests only to configured model providers or local Ollama; no covert collector endpoint was found.
  • `README.md` API-key strings are documented placeholders, not embedded live credentials.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 57 file(s), 373 KB of source, external domains: api.github.com, api.groq.com, generativelanguage.googleapis.com, github.com, huggingface.co, integrate.api.nvidia.com, openrouter.ai, python.org

Source & flagged code

10 flagged · loading source
README.mdView file
148patternName = google_api_key severity = high line = 148 matchedText = GEMINI_A...xxxx
High
High Secret

Package contains a high-severity secret pattern.

README.mdView on unpkg · L148
148patternName = google_api_key severity = high line = 148 matchedText = GEMINI_A...xxxx
High
Secret Pattern

Google API key in README.md

README.mdView on unpkg · L148
dist/agents/agents/git-agent.jsView file
17*/ L18: import { execSync } from 'node:child_process'; L19: import { writeFileSync, unlinkSync, mkdtempSync } from 'node:fs';
High
Child Process

Package source references child process execution.

dist/agents/agents/git-agent.jsView on unpkg · L17
dist/agents/agents/runner.jsView file
67// Use shell so we can run python, node, bash scripts etc. L68: shell: platform() === 'win32' ? (process.env.COMSPEC || 'cmd.exe') : '/bin/sh', L69: // Max buffer size: 1 MB
High
Shell

Package source references shell execution.

dist/agents/agents/runner.jsView on unpkg · L67
dist/plugins/agent-plugin.jsView file
47// Dynamic import for ESM compatibility L48: const plugin = await import(pluginPath); L49: if (!plugin.default || !plugin.default.metadata) {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/plugins/agent-plugin.jsView on unpkg · L47
dist/memory/embedder.jsView file
111try { L112: const parsed = JSON.parse(trimmed); L113: if (isValidEmbedding(parsed))
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/memory/embedder.jsView on unpkg · L111
dist/agents/agents/package-agent.jsView file
16import { join } from 'node:path'; L17: import { execSync } from 'node:child_process'; L18: import { Agent } from '../agent.js'; ... L43: name = 'Package'; L44: description = 'Manages package version, build, and npm publish'; L45: async execute(context, callLLM) { ... L87: async bumpVersion(context, description) { L88: const pkgPath = join(context.workingDirectory, 'package.json'); L89: if (!existsSync(pkgPath)) { ... L91: } L92: const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8')); L93: const currentVersion = pkg.version || '0.0.0';
Critical
Npm Publish Worm

Source mutates package metadata and republishes itself to npm.

dist/agents/agents/package-agent.jsView on unpkg · L16
16Trigger-reachable chain: manifest.main -> dist/index.js -> dist/agents/orchestrator.js -> dist/agents/agents/package-agent.js L16: import { join } from 'node:path'; L17: import { execSync } from 'node:child_process'; L18: import { Agent } from '../agent.js'; ... L43: name = 'Package'; L44: description = 'Manages package version, build, and npm publish'; L45: async execute(context, callLLM) { ... L87: async bumpVersion(context, description) { L88: const pkgPath = join(context.workingDirectory, 'package.json'); L89: if (!existsSync(pkgPath)) { ... L91: } L92: const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8')); L93: const currentVersion = pkg.version || '0.0.0';
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/agents/agents/package-agent.jsView on unpkg · L16
dist/agents/agents/tester.jsView file
198try { L199: return execSync('npm install --prefer-offline --no-audit --no-fund 2>&1', { L200: cwd: sandboxPath,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/agents/agents/tester.jsView on unpkg · L198
dist/inference/local-adapter.jsView file
matchType = previous_version_dangerous_delta matchedPackage = agent-baba-d@1.8.0 matchedIdentity = npm:YWdlbnQtYmFiYS1k:1.8.0 similarity = 0.849 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/inference/local-adapter.jsView on unpkg

Findings

3 Critical5 High4 Medium5 Low
CriticalNpm Publish Wormdist/agents/agents/package-agent.js
CriticalTrigger Reachable Dangerous Capabilitydist/agents/agents/package-agent.js
CriticalPrevious Version Dangerous Deltadist/inference/local-adapter.js
HighHigh SecretREADME.md
HighChild Processdist/agents/agents/git-agent.js
HighShelldist/agents/agents/runner.js
HighRuntime Package Installdist/agents/agents/tester.js
HighSecret PatternREADME.md
MediumDynamic Requiredist/plugins/agent-plugin.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/memory/embedder.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings