registry  /  agentesk  /  2.0.0

agentesk@2.0.0

Reusable project-local agent, skill, workflow, memory, and verification system for Codex.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
User runs `agentesk skill add`/`skill update`, then `agentesk skill run <name> <script> --force`.
Impact
A reviewed-but-untrusted imported skill can achieve code execution with the invoking user's permissions.
Mechanism
Downloads remote skill content and launches selected scripts via Python, Node, or Bash.
Rationale
This is a legitimate agent/skill management tool, not a concrete malicious package. However, it exposes an explicit remote-code import-and-run capability whose safeguards are insufficient to establish a clean verdict.
Evidence
package.jsonsrc/commands/external-skill.jssrc/commands/sandbox.jssrc/lib/registry.jstemplates/project/.agents/scripts/checklist.py.agents/skills/external/<repository>/<skill>.agents/registry/skills-lock.json.agents/registry/registries.json
Network endpoints2
api.github.comraw.githubusercontent.com

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `src/commands/external-skill.js` downloads every file in a user-selected GitHub skill directory.
  • `src/commands/sandbox.js` executes imported `.py`, `.js`, `.mjs`, or `.sh` files after explicit `--force`.
  • The execution environment restricts `HOME` but does not provide an OS/network sandbox.
  • Imported skill audit is regex-based; failing audits can be bypassed with `--force`.
Evidence against
  • `package.json` contains no preinstall, install, postinstall, or prepare lifecycle hook.
  • CLI import is inert until the user explicitly invokes `skill add` or `skill update`.
  • Bundled templates only provide project-local agent files and verification helpers; no covert network or credential collection found.
  • GitHub requests use an optional `GITHUB_TOKEN` only as an authorization header to GitHub endpoints.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 45 file(s), 95.2 KB of source, external domains: 127.0.0.1, api.github.com, github.com, raw.githubusercontent.com

Source & flagged code

2 flagged · loading source
templates/project/.agents/scripts/init_project.pyView file
path = templates/project/.agents/scripts/init_project.py kind = payload_in_excluded_dir sizeBytes = 1657 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

templates/project/.agents/scripts/init_project.pyView on unpkg
path = templates/project/.agents/scripts/init_project.py kind = build_helper sizeBytes = 1657 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

templates/project/.agents/scripts/init_project.pyView on unpkg

Findings

1 High4 Medium4 Low
HighPayload In Excluded Dirtemplates/project/.agents/scripts/init_project.py
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpertemplates/project/.agents/scripts/init_project.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings