registry  /  agentesk  /  3.0.0

agentesk@3.0.0

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No install-time attack is established. The CLI explicitly installs a first-party `.agents` control surface and can import/run externally sourced skill scripts after user commands and a force gate.

Static reason
No blocking static signals were detected.
Trigger
User runs `agentesk init`, `install`, `update`, `skill add`, or forced `skill run`.
Impact
Can alter project agent guidance and execute an imported skill script when the user explicitly forces it.
Mechanism
Project-local agent-template installation plus explicit GitHub skill import and gated script execution.
Rationale
Source shows explicit project agent-control-surface setup and optional remote skill execution, so policy calls for a warning. No concrete malicious chain or unconsented install-time behavior was found.
Evidence
apps/cli/package.jsonapps/cli/src/commands/install.jsapps/cli/src/commands/update.jsapps/cli/src/commands/external-skill.jsapps/cli/src/commands/sandbox.jstemplates/project/.agents/scripts/init_project.pyAGENTS.md.agents/.agents/skills/external/
Network endpoints2
api.github.comraw.githubusercontent.com

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `install`/`init` copy `AGENTS.md` and `.agents/` into the selected project.
  • `update` overwrites managed `.agents` files on an explicit CLI command.
  • External-skill import downloads selected GitHub skill files into `.agents/skills/external`.
  • `skill run` executes imported `.py`, `.js`, `.mjs`, or `.sh` only with `--force`.
Evidence against
  • Root and CLI manifests contain no `preinstall`, `install`, or `postinstall` hook.
  • CLI entrypoint only dispatches user-supplied commands; imports and writes are not automatic.
  • Network use is limited to explicit GitHub registry/skill operations.
  • Template Python helpers are readable project-local setup/validation scripts; no payload or exfiltration was found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicenseWildcardDependency
scanned 127 file(s), 194 KB of source, external domains: 127.0.0.1, api.github.com, github.com, raw.githubusercontent.com

Source & flagged code

2 flagged · loading source
templates/project/.agents/scripts/init_project.pyView file
path = templates/project/.agents/scripts/init_project.py kind = payload_in_excluded_dir sizeBytes = 1657 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

templates/project/.agents/scripts/init_project.pyView on unpkg
path = templates/project/.agents/scripts/init_project.py kind = build_helper sizeBytes = 1657 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

templates/project/.agents/scripts/init_project.pyView on unpkg

Findings

1 High5 Medium5 Low
HighPayload In Excluded Dirtemplates/project/.agents/scripts/init_project.py
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpertemplates/project/.agents/scripts/init_project.py
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License