registry  /  agent-nuvira  /  1.14.0

agent-nuvira@1.14.0

Agent-Nuvira: Multi-agent AI coding CLI — plan, write, review, test, and publish code with local models (Ollama) or cloud APIs (Groq, NVIDIA NIM, Google Gemini, OpenRouter)

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package exposes expected coding-agent shell, test, publishing, and optional plugin capabilities, all activated at CLI/runtime rather than installation.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Explicit CLI invocation or a user/task-plan-selected agent action.
Impact
Can run project commands or publish only when the user invokes those capabilities; no stealth install-time behavior or exfiltration was found.
Mechanism
User-directed coding-agent execution and local plugin discovery.
Rationale
Scanner findings map to declared coding-agent features: explicit command execution, sandboxed testing, package publishing, and user-owned plugin loading. Static inspection found no install-time execution, credential theft, hidden remote payload, or unconsented foreign AI-agent control-surface mutation.
Evidence
package.jsondist/index.jsdist/agents/agents/package-agent.jsdist/agents/agents/runner.jsdist/agents/agents/tester.jsdist/plugins/agent-plugin.jscontext.workingDirectory/package.json~/.buff/plugins~/.buff/agents~/.buff/workflows

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall hook.
    • dist/index.js only starts the CLI after direct execution.
    • dist/agents/agents/package-agent.js publishes only when a package task requests publish.
    • dist/agents/agents/runner.js executes commands only through CLI/task-plan actions.
    • dist/plugins/agent-plugin.js loads only user-owned ~/.buff plugin directories.
    • No source path inspected harvests or exfiltrates credentials.
    Behavioral surface
    Source
    ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
    Supply chain
    HighEntropyStringsMinifiedProtestwareTelemetryUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 94 file(s), 1.39 MB of source, external domains: aistudio.google.com, api.github.com, api.groq.com, build.nvidia.com, console.groq.com, docs.docker.com, fb.me, generativelanguage.googleapis.com, github.com, huggingface.co, integrate.api.nvidia.com, jsonplaceholder.typicode.com, openrouter.ai, python.org, raw.githubusercontent.com, reactjs.org, www.google.com, www.w3.org

    Source & flagged code

    10 flagged · loading source
    README.mdView file
    119patternName = google_api_key severity = high line = 119 matchedText = export G...xxx"
    High
    High Secret

    Package contains a high-severity secret pattern.

    README.mdView on unpkg · L119
    119patternName = google_api_key severity = high line = 119 matchedText = export G...xxx"
    High
    Secret Pattern

    Google API key in README.md

    README.mdView on unpkg · L119
    211patternName = google_api_key severity = high line = 211 matchedText = GEMINI_A...xxxx
    High
    Secret Pattern

    Google API key in README.md

    README.mdView on unpkg · L211
    dist/memory/embedder.jsView file
    15import { createHash } from 'node:crypto'; L16: import { spawn } from 'node:child_process'; L17: import { logger } from '../utils/logger.js';
    High
    Child Process

    Package source references child process execution.

    dist/memory/embedder.jsView on unpkg · L15
    15import { createHash } from 'node:crypto'; L16: import { spawn } from 'node:child_process'; L17: import { logger } from '../utils/logger.js'; ... L222: let errorOutput = ''; L223: python.stdout?.on('data', (chunk) => { L224: output += chunk.toString(); ... L241: try { L242: const parsed = JSON.parse(output); L243: if (parsed.error) {
    Low
    Weak Crypto

    Package source references weak cryptographic algorithms.

    dist/memory/embedder.jsView on unpkg · L15
    dist/agents/agents/runner.jsView file
    202encoding: 'utf-8', L203: shell: platform() === 'win32' ? (process.env.COMSPEC || 'cmd.exe') : '/bin/sh', L204: maxBuffer: 1024 * 1024,
    High
    Shell

    Package source references shell execution.

    dist/agents/agents/runner.jsView on unpkg · L202
    dist/plugins/agent-plugin.jsView file
    59// Dynamic import for ESM compatibility L60: const mod = await import(pluginPath); L61: if (!mod.default || !mod.default.metadata || !mod.default.getProviderType) {
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    dist/plugins/agent-plugin.jsView on unpkg · L59
    dist/agents/agents/package-agent.jsView file
    16import { join } from 'node:path'; L17: import { execSync } from 'node:child_process'; L18: import { Agent } from '../agent.js'; ... L43: name = 'Package'; L44: description = 'Manages package version, build, and npm publish'; L45: async execute(context, callLLM) { ... L87: async bumpVersion(context, description) { L88: const pkgPath = join(context.workingDirectory, 'package.json'); L89: if (!existsSync(pkgPath)) { ... L91: } L92: const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8')); L93: const currentVersion = pkg.version || '0.0.0';
    Critical
    Npm Publish Worm

    Source mutates package metadata and republishes itself to npm.

    dist/agents/agents/package-agent.jsView on unpkg · L16
    16Trigger-reachable chain: manifest.main -> dist/index.js -> dist/agents/orchestrator.js -> dist/agents/agents/package-agent.js L16: import { join } from 'node:path'; L17: import { execSync } from 'node:child_process'; L18: import { Agent } from '../agent.js'; ... L43: name = 'Package'; L44: description = 'Manages package version, build, and npm publish'; L45: async execute(context, callLLM) { ... L87: async bumpVersion(context, description) { L88: const pkgPath = join(context.workingDirectory, 'package.json'); L89: if (!existsSync(pkgPath)) { ... L91: } L92: const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8')); L93: const currentVersion = pkg.version || '0.0.0';
    Critical
    Trigger Reachable Dangerous Capability

    A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

    dist/agents/agents/package-agent.jsView on unpkg · L16
    dist/agents/agents/tester.jsView file
    296try { L297: return execSync('npm install --prefer-offline --no-audit --no-fund 2>&1', { L298: cwd: sandboxPath,
    High
    Runtime Package Install

    Package source invokes a package manager install command at runtime.

    dist/agents/agents/tester.jsView on unpkg · L296

    Findings

    2 Critical6 High5 Medium6 Low
    CriticalNpm Publish Wormdist/agents/agents/package-agent.js
    CriticalTrigger Reachable Dangerous Capabilitydist/agents/agents/package-agent.js
    HighHigh SecretREADME.md
    HighChild Processdist/memory/embedder.js
    HighShelldist/agents/agents/runner.js
    HighRuntime Package Installdist/agents/agents/tester.js
    HighSecret PatternREADME.md
    HighSecret PatternREADME.md
    MediumDynamic Requiredist/plugins/agent-plugin.js
    MediumNetwork
    MediumEnvironment Vars
    MediumProtestware
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowWeak Cryptodist/memory/embedder.js
    LowFilesystem
    LowHigh Entropy Strings
    LowTelemetry
    LowUrl Strings