registry  /  agent-nuvira  /  1.14.1

agent-nuvira@1.14.1

Agent-Nuvira: Multi-agent AI coding CLI — plan, write, review, test, and publish code with local models (Ollama) or cloud APIs (Groq, NVIDIA NIM, Google Gemini, OpenRouter)

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The user-invoked CLI auto-loads JavaScript plugins from its own `~/.buff` extension directories and exposes agents that can run shell commands, install dependencies, edit a target project, and publish it. No install-time execution or confirmed malicious exfiltration was established.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Running the `agent-nuvira` CLI and invoking an agent/task that uses plugins, runner, tester, or package operations.
Impact
A user who runs untrusted tasks or places untrusted code in the package-owned plugin directories can cause local code execution; publish and project mutation actions are reachable through explicit task intent.
Mechanism
Package-owned plugin auto-loading plus agent-directed command execution.
Rationale
This is not concrete malware: there are no lifecycle hooks and the high-impact behavior is exposed through user-invoked agent workflows. It warrants a warning because startup plugin execution and host command fallback leave a meaningful dangerous-capability surface.
Evidence
package.jsondist/index.jsdist/plugins/agent-plugin.jsdist/agents/agents/runner.jsdist/agents/agents/tester.jsdist/agents/agents/package-agent.jsdist/agent-sdk/src/register.js

Decision evidence

public snapshot
AI called this Suspicious at 89.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `dist/index.js` runs plugin auto-discovery whenever the CLI starts.
  • `dist/plugins/agent-plugin.js` creates and imports `.js` modules from `~/.buff/plugins` and `~/.buff/agents`.
  • `dist/agents/agents/runner.js` executes task- or LLM-derived shell commands on the host when Docker is unavailable.
  • `dist/agents/agents/tester.js` runs `npm install` and project tests in a generated sandbox.
  • `dist/agents/agents/package-agent.js` can modify a target project package manifest and run `npm publish` for a publish task.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall` hook.
  • All reviewed write, install, publish, and shell paths require CLI/agent task execution; none run on package installation or import.
  • Plugin directories are package-owned `~/.buff/*`, not foreign AI-agent control surfaces.
  • Provider HTTP clients use configured API keys for named inference services; no credential harvesting or unrelated exfiltration was found.
  • No reviewed source used `eval`, `Function`, VM execution, native loading, destructive deletion, or stealth persistence.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedProtestwareTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 94 file(s), 1.39 MB of source, external domains: aistudio.google.com, api.github.com, api.groq.com, build.nvidia.com, console.groq.com, docs.docker.com, fb.me, generativelanguage.googleapis.com, github.com, huggingface.co, integrate.api.nvidia.com, jsonplaceholder.typicode.com, openrouter.ai, python.org, raw.githubusercontent.com, reactjs.org, www.google.com, www.w3.org

Source & flagged code

10 flagged · loading source
README.mdView file
119patternName = google_api_key severity = high line = 119 matchedText = export G...xxx"
High
High Secret

Package contains a high-severity secret pattern.

README.mdView on unpkg · L119
119patternName = google_api_key severity = high line = 119 matchedText = export G...xxx"
High
Secret Pattern

Google API key in README.md

README.mdView on unpkg · L119
211patternName = google_api_key severity = high line = 211 matchedText = GEMINI_A...xxxx
High
Secret Pattern

Google API key in README.md

README.mdView on unpkg · L211
dist/memory/embedder.jsView file
15import { createHash } from 'node:crypto'; L16: import { spawn } from 'node:child_process'; L17: import { logger } from '../utils/logger.js';
High
Child Process

Package source references child process execution.

dist/memory/embedder.jsView on unpkg · L15
15import { createHash } from 'node:crypto'; L16: import { spawn } from 'node:child_process'; L17: import { logger } from '../utils/logger.js'; ... L222: let errorOutput = ''; L223: python.stdout?.on('data', (chunk) => { L224: output += chunk.toString(); ... L241: try { L242: const parsed = JSON.parse(output); L243: if (parsed.error) {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/memory/embedder.jsView on unpkg · L15
dist/agents/agents/runner.jsView file
202encoding: 'utf-8', L203: shell: platform() === 'win32' ? (process.env.COMSPEC || 'cmd.exe') : '/bin/sh', L204: maxBuffer: 1024 * 1024,
High
Shell

Package source references shell execution.

dist/agents/agents/runner.jsView on unpkg · L202
dist/plugins/agent-plugin.jsView file
59// Dynamic import for ESM compatibility L60: const mod = await import(pluginPath); L61: if (!mod.default || !mod.default.metadata || !mod.default.getProviderType) {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/plugins/agent-plugin.jsView on unpkg · L59
dist/agents/agents/package-agent.jsView file
16import { join } from 'node:path'; L17: import { execSync } from 'node:child_process'; L18: import { Agent } from '../agent.js'; ... L43: name = 'Package'; L44: description = 'Manages package version, build, and npm publish'; L45: async execute(context, callLLM) { ... L87: async bumpVersion(context, description) { L88: const pkgPath = join(context.workingDirectory, 'package.json'); L89: if (!existsSync(pkgPath)) { ... L91: } L92: const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8')); L93: const currentVersion = pkg.version || '0.0.0';
Critical
Npm Publish Worm

Source mutates package metadata and republishes itself to npm.

dist/agents/agents/package-agent.jsView on unpkg · L16
16Trigger-reachable chain: manifest.main -> dist/index.js -> dist/agents/orchestrator.js -> dist/agents/agents/package-agent.js L16: import { join } from 'node:path'; L17: import { execSync } from 'node:child_process'; L18: import { Agent } from '../agent.js'; ... L43: name = 'Package'; L44: description = 'Manages package version, build, and npm publish'; L45: async execute(context, callLLM) { ... L87: async bumpVersion(context, description) { L88: const pkgPath = join(context.workingDirectory, 'package.json'); L89: if (!existsSync(pkgPath)) { ... L91: } L92: const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8')); L93: const currentVersion = pkg.version || '0.0.0';
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/agents/agents/package-agent.jsView on unpkg · L16
dist/agents/agents/tester.jsView file
296try { L297: return execSync('npm install --prefer-offline --no-audit --no-fund 2>&1', { L298: cwd: sandboxPath,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/agents/agents/tester.jsView on unpkg · L296

Findings

2 Critical6 High5 Medium6 Low
CriticalNpm Publish Wormdist/agents/agents/package-agent.js
CriticalTrigger Reachable Dangerous Capabilitydist/agents/agents/package-agent.js
HighHigh SecretREADME.md
HighChild Processdist/memory/embedder.js
HighShelldist/agents/agents/runner.js
HighRuntime Package Installdist/agents/agents/tester.js
HighSecret PatternREADME.md
HighSecret PatternREADME.md
MediumDynamic Requiredist/plugins/agent-plugin.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/memory/embedder.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings