registry  /  agent-device  /  0.18.1

agent-device@0.18.1

Agent-native CLI for AI app automation across iOS, Android, tvOS, Android TV, macOS, Linux, and web.

AI Security Review

scanned 7h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs agent-device CLI or starts its MCP stdio server.
Impact
Can inspect UI, control apps/devices, read/write clipboard, collect logs/network/perf, install helper APKs, and write local state/artifacts when commanded.
Mechanism
AI agent device automation, subprocess-based platform tooling, packaged Android instrumentation helpers
Policy narrative
The package is a legitimate AI-agent device automation platform with an MCP server and helper binaries. Its dangerous primitives are activated by user CLI/MCP actions and are package-aligned; inspection found no npm lifecycle hook, no unconsented foreign agent control-surface mutation, and no credential exfiltration path.
Rationale
Static inspection supports a warn-level dangerous capability verdict because the package intentionally gives agents broad device/app automation and diagnostics powers, but the behavior is user-invoked and package-aligned. No concrete malicious install-time or import-time attack behavior was found.
Evidence
package.jsonbin/agent-device.mjsserver.jsonskills/agent-device/SKILL.mddist/src/internal/bin.jsdist/src/7871.jsdist/src/5913.jsdist/src/8875.jsdist/src/5448.jssrc/platforms/linux/atspi-dump.pyandroid-snapshot-helper/dist/agent-device-android-snapshot-helper-0.18.1.manifest.jsonandroid-multitouch-helper/dist/agent-device-android-multitouch-helper-0.18.1.manifest.json~/.agent-device/daemon.json~/.agent-device/daemon.lock~/.agent-device/daemon.log~/.agent-device/sessions~/.agent-device/update-check.jsonandroid-snapshot-helper/dist/agent-device-android-snapshot-helper-0.18.1.apkandroid-multitouch-helper/dist/agent-device-android-multitouch-helper-0.18.1.apk
Network endpoints1
registry.npmjs.org/agent-device/latest

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • server.json declares an MCP stdio server for AI agents to inspect/control apps and devices.
  • dist/src/7871.js exposes high-capability actions: apps.open/close/push, system clipboard, diagnostics logs/network/perf, recording and tracing.
  • dist/src/8875.js provides spawn/spawnSync/detached process helpers used for adb/xcrun/npm/tesseract and platform tooling.
  • dist/src/5448.js performs a user-runtime update check to https://registry.npmjs.org/agent-device/latest and writes update-check.json.
  • Packaged Android helper APKs are shipped with manifests for installing instrumentation helpers.
Evidence against
  • package.json has no install/postinstall lifecycle hook; prepack/version are publisher-side scripts.
  • bin/agent-device.mjs only imports the built CLI when the user runs the binary.
  • No source evidence of install-time writes to foreign Claude/Codex/Cursor/MCP control surfaces.
  • Skills instruct users not to autonomously run npm install -g or npx @latest.
  • Diagnostics code redacts tokens/secrets before returning logs/network data.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 88 file(s), 1.41 MB of source, external domains: 127.0.0.1, api-cloud.browserstack.com, cloud.agent-device.dev, example.com, example.trycloudflare.com, github.com, hub-cloud.browserstack.com, registry.npmjs.org

Source & flagged code

8 flagged · loading source
dist/src/7871.jsView file
1patternName = generic_password severity = medium line = 1 matchedText = import e...al};
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/src/7871.jsView on unpkg · L1
bin/agent-device.mjsView file
17L18: await import(pathToFileURL(distPath).href);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/agent-device.mjsView on unpkg · L17
dist/src/5913.jsView file
1import e from"node:crypto";import t from"node:fs";import n from"node:path";import{AppError as r}from"./485.js";import{resolveUserPath as o,expandUserHomePath as s}from"./9612.js";i... L2: `}function z(e){return`${JSON.stringify({type:"response",response:e})}
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/src/5913.jsView on unpkg · L1
src/platforms/linux/atspi-dump.pyView file
path = src/platforms/linux/atspi-dump.py kind = build_helper sizeBytes = 8177 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

src/platforms/linux/atspi-dump.pyView on unpkg
android-snapshot-helper/dist/agent-device-android-snapshot-helper-0.18.1.apkView file
path = android-snapshot-helper/dist/agent-device-android-snapshot-helper-0.18.1.apk kind = high_entropy_blob sizeBytes = 16811 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

android-snapshot-helper/dist/agent-device-android-snapshot-helper-0.18.1.apkView on unpkg
path = android-snapshot-helper/dist/agent-device-android-snapshot-helper-0.18.1.apk kind = compressed_blob sizeBytes = 16811 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

android-snapshot-helper/dist/agent-device-android-snapshot-helper-0.18.1.apkView on unpkg
path = android-snapshot-helper/dist/agent-device-android-snapshot-helper-0.18.1.apk kind = nested_archive_needs_inspection sizeBytes = 16811 magicHex = [redacted]
Low
Nested Archive Needs Inspection

Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.

android-snapshot-helper/dist/agent-device-android-snapshot-helper-0.18.1.apkView on unpkg
dist/src/485.jsView file
1patternName = generic_password severity = medium line = 1 matchedText = let e=/(...de};
Medium
Secret Pattern

Hardcoded password in dist/src/485.js

dist/src/485.jsView on unpkg · L1

Findings

1 High8 Medium7 Low
HighShips High Entropy Blobandroid-snapshot-helper/dist/agent-device-android-snapshot-helper-0.18.1.apk
MediumSecret Patterndist/src/7871.js
MediumDynamic Requirebin/agent-device.mjs
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpersrc/platforms/linux/atspi-dump.py
MediumShips Compressed Blobandroid-snapshot-helper/dist/agent-device-android-snapshot-helper-0.18.1.apk
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/src/485.js
LowScripts Present
LowWeak Cryptodist/src/5913.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNested Archive Needs Inspectionandroid-snapshot-helper/dist/agent-device-android-snapshot-helper-0.18.1.apk