registry  /  agenticros  /  0.5.5

agenticros@0.5.5

AgenticROS - agentic AI for ROS-powered robots. Single CLI to launch real-robot or simulated demos, manage configuration, and inspect status.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Explicit setup commands can register an AgenticROS MCP server in AI-agent host configuration files. The bundled OpenClaw extension activates on gateway startup after user-approved setup. No unconsented install-time mutation or confirmed exfiltration was established.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `agenticros mcp setup`, a host-specific setup command, or confirms plugin setup during `agenticros init`.
Impact
Configured AI hosts may launch the package-owned MCP server, which exposes ROS robot-control capabilities under the user's agent permissions.
Mechanism
User-invoked AI-agent MCP and OpenClaw extension registration.
Rationale
Source supports a warning for explicit first-party AI-agent extension setup with consequential ROS control capabilities. The scanner's malicious label is not substantiated because there is no install-time hook or concrete malicious chain.
Evidence
package.jsondist/index.jsdist/util/mcp-setup.jsdist/util/codex-config.jsdist/util/claude-config.jsdist/commands/init.jsruntime/packages/agenticros/agenticros-agenticros-0.0.1.tgz~/.codex/config.toml~/.hermes/config.yaml~/.mcp.json~/Library/Application Support/Claude/claude_desktop_config.json

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/util/mcp-setup.js` explicitly configures Codex, Hermes, and Claude MCP hosts.
  • `dist/util/codex-config.js` writes an enabled `agenticros` server into `~/.codex/config.toml`.
  • `dist/util/claude-config.js` and `dist/util/hermes-config.js` preserve other entries but write their `agenticros` host entries.
  • `runtime/packages/agenticros/agenticros-agenticros-0.0.1.tgz` contains a first-party OpenClaw plugin with `onStartup` activation.
  • `dist/commands/init.js` runs plugin setup only after an interactive confirmation.
Evidence against
  • `package.json` has only `prepublishOnly`; no install, preinstall, or postinstall hook.
  • CLI entrypoint dispatches commands; source shows no import-time config mutation.
  • No inspected source showed credential harvesting or secret exfiltration.
  • No fixed non-local exfiltration endpoint or remote payload loader was found.
  • Dynamic local skill loading in `dist/commands/skills-dev.js` is initiated by an explicit developer command.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 196 file(s), 1.38 MB of source, external domains: 127.0.0.1, ai.google.dev, aistudio.google.com, api.github.com, claude.com, developers.openai.com, docs.ros.org, github.com, host.openshell.internal, huggingface.co, nodejs.org, skills.agenticros.com

Source & flagged code

10 flagged · loading source
dist/util/mcp-discovery.jsView file
16*/ L17: import { spawn } from "node:child_process"; L18: import { existsSync } from "node:fs";
High
Child Process

Package source references child process execution.

dist/util/mcp-discovery.jsView on unpkg · L16
dist/util/workspace.jsView file
11import { join } from "node:path"; L12: import { execa } from "execa"; L13: import { info, ok, warn, withSpinner } from "./logger.js";
High
Shell

Package source references shell execution.

dist/util/workspace.jsView on unpkg · L11
dist/commands/skills-dev.jsView file
89}; L90: const require = createRequire(pathToFileURL(entryPath).href); L91: const mod = require(entryPath);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/commands/skills-dev.jsView on unpkg · L89
dist/util/marketplace.jsView file
3* L4: * The marketplace itself is at https://sk[redacted] — this CLI L5: * talks to the REST endpoints exposed under /api/ (rewritten by Firebase ... L12: import { dirname, basename, join, resolve } from "node:path"; L13: import { execa } from "execa"; L14: import { discoveryRoots } from "./skills.js"; ... L16: export function apiBase() { L17: return (process.env.AGENTICROS_SKILLS_API || DEFAULT_API_BASE).replace(/\/+$/, ""); L18: }
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/util/marketplace.jsView on unpkg · L3
runtime/scripts/check-cli-tarball-install.mjsView file
197L198: // 6. pnpm install with the same flags init.ts uses L199: step("Running pnpm install with init.ts flags (this can take a minute)..."); L200: const installResult = spawnSync( L201: "pnpm",
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

runtime/scripts/check-cli-tarball-install.mjsView on unpkg · L197
runtime/scripts/start_demo.shView file
path = runtime/scripts/start_demo.sh kind = build_helper sizeBytes = 5717 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

runtime/scripts/start_demo.shView on unpkg
runtime/packages/agenticros/agenticros-agenticros-0.0.1.tgzView file
path = [redacted]-agenticros-0.0.1.tgz kind = high_entropy_blob sizeBytes = 115903 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

runtime/packages/agenticros/agenticros-agenticros-0.0.1.tgzView on unpkg
path = [redacted]-agenticros-0.0.1.tgz kind = compressed_blob sizeBytes = 115903 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

runtime/packages/agenticros/agenticros-agenticros-0.0.1.tgzView on unpkg
path = [redacted]-agenticros-0.0.1.tgz kind = nested_archive_needs_inspection sizeBytes = 115903 magicHex = [redacted]
Low
Nested Archive Needs Inspection

Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.

runtime/packages/agenticros/agenticros-agenticros-0.0.1.tgzView on unpkg
runtime/packages/robot-eyes/src/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = agenticros@0.5.3 matchedIdentity = npm:YWdlbnRpY3Jvcw:0.5.3 similarity = 0.892 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

runtime/packages/robot-eyes/src/index.jsView on unpkg

Findings

1 Critical5 High6 Medium6 Low
CriticalPrevious Version Dangerous Deltaruntime/packages/robot-eyes/src/index.js
HighChild Processdist/util/mcp-discovery.js
HighShelldist/util/workspace.js
HighSame File Env Network Executiondist/util/marketplace.js
HighRuntime Package Installruntime/scripts/check-cli-tarball-install.mjs
HighShips High Entropy Blobruntime/packages/agenticros/agenticros-agenticros-0.0.1.tgz
MediumDynamic Requiredist/commands/skills-dev.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperruntime/scripts/start_demo.sh
MediumShips Compressed Blobruntime/packages/agenticros/agenticros-agenticros-0.0.1.tgz
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNested Archive Needs Inspectionruntime/packages/agenticros/agenticros-agenticros-0.0.1.tgz