registry  /  agent-insight  /  0.5.4

agent-insight@0.5.4

Agent Skill 评估与观测平台 — 量化评估 Skills 在 Agent 上的实际运行效果

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `agent-insight install` or enables/installs the shipped agent integration.
Impact
Configured agent conversations and tool activity can be persisted locally and sent to the configured Agent Insight service; setup can add remote skills to agent project directories.
Mechanism
Explicit agent-extension setup and configurable telemetry upload.
Rationale
Source inspection does not establish covert or automatic malicious execution, so blocking is not warranted. The package nevertheless provides explicit agent-extension installation and configurable conversation telemetry export, which warrants a warning.
Evidence
package.jsonscripts/postinstall.jsscripts/install.jsscripts/opencode_plugin_otel.tsscripts/opencode_uploader_client.jsscripts/sync_skills.jsscripts/utils.js.env.example
Network endpoints2
atomgit.com/openeuler/witty-skill-insight.git127.0.0.1:3000/api/sync/manifest

Decision evidence

public snapshot
AI called this Suspicious at 89.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `scripts/install.js` explicit install command downloads a localhost-generated setup script and executes it with shell/PowerShell.
  • `scripts/install.js` explicitly runs `npx skills add` against an external Git URL.
  • `scripts/opencode_plugin_otel.ts` captures OpenCode system prompts, chat messages, completions, and tool events.
  • `scripts/opencode_uploader_client.js` uploads collected session data to configured `AGENT_INSIGHT_HOST`; it permits keyless uploads.
  • `scripts/sync_skills.js` downloads dashboard-provided archives into project `.opencode/.claude/.openhands/.deepagents` skill paths.
  • `.env.example` contains a non-placeholder Langfuse secret-key value.
Evidence against
  • `package.json` lifecycle hook only invokes `scripts/postinstall.js`; it does not invoke skill sync or OpenCode telemetry setup.
  • `scripts/postinstall.js` initializes package-owned data/config, Prisma artifacts, and bundled runtime files.
  • Telemetry upload requires `AGENT_INSIGHT_HOST`; the uploader exits when no host is configured.
  • The OpenCode plugin redacts common secret-key fields before writing telemetry events.
  • No hard-coded non-local telemetry host, credential theft logic, obfuscated payload, or foreign agent-control mutation was confirmed during install.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 38 file(s), 253 KB of source, external domains: 100.125.177.5, atomgit.com, nodejs.org, registry.npmjs.org

Source & flagged code

10 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
public/sync_skills.tsView file
9L10: import { execSync } from 'child_process'; L11: import * as fs from 'fs';
High
Child Process

Package source references child process execution.

public/sync_skills.tsView on unpkg · L9
scripts/install.jsView file
2L3: const { spawn } = require('child_process') L4: const http = require('http') L5: const path = require('path') ... L11: function getPreferredHomeDataRoot() { L12: return path.join(os.homedir(), '.agent-insight') L13: } ... L47: } L48: process.stdout.write(`\r⏳ 等待服务启动... (${i + 1}/${maxRetries})`) L49: await sleep(retryDelay) ... L74: try { L75: const result = JSON.parse(data)
High
Install Named Payload File

Install-named source file stages remote content through filesystem writes and execution.

scripts/install.jsView on unpkg · L2
scripts/postinstall.jsView file
81try { L82: execSync('npx prisma db push', { L83: stdio: 'inherit',
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

scripts/postinstall.jsView on unpkg · L81
.next/standalone/scripts/jiuwen_extension/extension.pyView file
path = .next/standalone/scripts/jiuwen_extension/extension.py kind = build_helper sizeBytes = 9645 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

.next/standalone/scripts/jiuwen_extension/extension.pyView on unpkg
.next/standalone/.next/static/media/KaTeX_Size4-Regular.b211e3d3.woffView file
path = .next/standalone/.next/static/media/KaTeX_Size4-Regular.b211e3d3.woff kind = high_entropy_blob sizeBytes = 5980 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

.next/standalone/.next/static/media/KaTeX_Size4-Regular.b211e3d3.woffView on unpkg
.next/standalone/.next/server/chunks/[root-of-the-server]__a130a0e5._.jsView file
path = .next/standalone/.next/server/chunks/[root-of-the-server]__a130a0e5._.js kind = payload_in_excluded_dir sizeBytes = 3942216 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

.next/standalone/.next/server/chunks/[root-of-the-server]__a130a0e5._.jsView on unpkg
path = .next/standalone/.next/server/chunks/[root-of-the-server]__a130a0e5._.js kind = oversized_source_file sizeBytes = 3942216 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

.next/standalone/.next/server/chunks/[root-of-the-server]__a130a0e5._.jsView on unpkg
scripts/opencode_plugin_otel.tsView file
matchType = previous_version_dangerous_delta matchedPackage = agent-insight@0.4.2 matchedIdentity = npm:YWdlbnQtaW5zaWdodA:0.4.2 similarity = 0.895 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

scripts/opencode_plugin_otel.tsView on unpkg

Findings

1 Critical8 High5 Medium5 Low
CriticalPrevious Version Dangerous Deltascripts/opencode_plugin_otel.ts
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processpublic/sync_skills.ts
HighShell
HighInstall Named Payload Filescripts/install.js
HighRuntime Package Installscripts/postinstall.js
HighShips High Entropy Blob.next/standalone/.next/static/media/KaTeX_Size4-Regular.b211e3d3.woff
HighPayload In Excluded Dir.next/standalone/.next/server/chunks/[root-of-the-server]__a130a0e5._.js
HighOversized Source File.next/standalone/.next/server/chunks/[root-of-the-server]__a130a0e5._.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helper.next/standalone/scripts/jiuwen_extension/extension.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowEval
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings