registry  /  agenticros  /  0.5.8

agenticros@0.5.8

AgenticROS - agentic AI for ROS-powered robots. Single CLI to launch real-robot or simulated demos, manage configuration, and inspect status.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package offers explicit CLI setup that registers its MCP server with AI-agent hosts and bundles an OpenClaw plugin that activates when that plugin is installed in a gateway. It also exposes ROS2 robot-control capabilities through configured transports. No install-time or covert execution path was confirmed.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `agenticros mcp setup`, a host-specific setup command, `agenticros init`, or installs/enables the bundled OpenClaw plugin.
Impact
Configured AI-agent hosts can launch the package MCP server; configured plugin users can issue robot-control operations.
Mechanism
First-party AI-agent extension registration plus ROS2 command/action tooling.
Rationale
Source inspection disproves the scanner's malicious conclusion: there is no install hook or hidden execution chain. The package nevertheless performs explicit AI-agent extension setup and provides real robot-control capabilities, which warrants a policy warning.
Evidence
package.jsondist/index.jsdist/util/mcp-setup.jsdist/util/codex-config.jsdist/util/mcp-discovery.jsdist/commands/publish-skill.jsruntime/packages/agenticros/agenticros-agenticros-0.0.1.tgz~/.codex/config.toml<project>/.codex/config.toml~/.openclaw/openclaw.json
Network endpoints1
api.github.com

Decision evidence

public snapshot
AI called this Suspicious at 92.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/util/mcp-setup.js` writes AgenticROS MCP entries for Codex, Hermes, and Claude.
  • `dist/util/codex-config.js` writes `~/.codex/config.toml` or project `.codex/config.toml`.
  • `runtime/packages/agenticros/agenticros-agenticros-0.0.1.tgz` contains an OpenClaw plugin activated on gateway startup.
  • Bundled plugin registers ROS2 action and publish tools, enabling robot-control commands.
  • `dist/commands/publish-skill.js` reads GitHub tokens for its explicit publishing command.
Evidence against
  • Root `package.json` has only `prepublishOnly`; no preinstall/install/postinstall hook.
  • `dist/index.js` dispatches setup and robot actions only from CLI subcommands or its menu.
  • MCP configuration writes are scoped to the named `agenticros` entry and preserve other Codex config.
  • `dist/util/mcp-discovery.js` spawns the bundled/local MCP entry only when discovery is invoked.
  • No source evidence of covert credential exfiltration, remote payload download, eval, or destructive import-time behavior.
  • The `.tgz` is a readable packaged first-party OpenClaw plugin, not an opaque executable payload.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 198 file(s), 1.40 MB of source, external domains: 127.0.0.1, ai.google.dev, aistudio.google.com, api.github.com, claude.com, developers.openai.com, docs.ros.org, github.com, host.openshell.internal, huggingface.co, nodejs.org, skills.agenticros.com

Source & flagged code

10 flagged · loading source
dist/util/mcp-discovery.jsView file
16*/ L17: import { spawn } from "node:child_process"; L18: import { existsSync } from "node:fs";
High
Child Process

Package source references child process execution.

dist/util/mcp-discovery.jsView on unpkg · L16
dist/util/workspace.jsView file
11import { join } from "node:path"; L12: import { execa } from "execa"; L13: import { info, ok, warn, withSpinner } from "./logger.js";
High
Shell

Package source references shell execution.

dist/util/workspace.jsView on unpkg · L11
dist/commands/skills-dev.jsView file
89}; L90: const require = createRequire(pathToFileURL(entryPath).href); L91: const mod = require(entryPath);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/commands/skills-dev.jsView on unpkg · L89
dist/util/marketplace.jsView file
3* L4: * The marketplace itself is at https://sk[redacted] — this CLI L5: * talks to the REST endpoints exposed under /api/ (rewritten by Firebase ... L12: import { dirname, basename, join, resolve } from "node:path"; L13: import { execa } from "execa"; L14: import { discoveryRoots } from "./skills.js"; ... L16: export function apiBase() { L17: return (process.env.AGENTICROS_SKILLS_API || DEFAULT_API_BASE).replace(/\/+$/, ""); L18: }
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/util/marketplace.jsView on unpkg · L3
runtime/scripts/check-cli-tarball-install.mjsView file
197L198: // 6. pnpm install with the same flags init.ts uses L199: step("Running pnpm install with init.ts flags (this can take a minute)..."); L200: const installResult = spawnSync( L201: "pnpm",
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

runtime/scripts/check-cli-tarball-install.mjsView on unpkg · L197
runtime/scripts/start_demo.shView file
path = runtime/scripts/start_demo.sh kind = build_helper sizeBytes = 5717 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

runtime/scripts/start_demo.shView on unpkg
runtime/packages/agenticros/agenticros-agenticros-0.0.1.tgzView file
path = [redacted]-agenticros-0.0.1.tgz kind = high_entropy_blob sizeBytes = 115903 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

runtime/packages/agenticros/agenticros-agenticros-0.0.1.tgzView on unpkg
path = [redacted]-agenticros-0.0.1.tgz kind = compressed_blob sizeBytes = 115903 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

runtime/packages/agenticros/agenticros-agenticros-0.0.1.tgzView on unpkg
path = [redacted]-agenticros-0.0.1.tgz kind = nested_archive_needs_inspection sizeBytes = 115903 magicHex = [redacted]
Low
Nested Archive Needs Inspection

Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.

runtime/packages/agenticros/agenticros-agenticros-0.0.1.tgzView on unpkg
runtime/packages/robot-eyes/src/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = agenticros@0.5.6 matchedIdentity = npm:YWdlbnRpY3Jvcw:0.5.6 similarity = 0.925 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

runtime/packages/robot-eyes/src/index.jsView on unpkg

Findings

1 Critical5 High6 Medium6 Low
CriticalPrevious Version Dangerous Deltaruntime/packages/robot-eyes/src/index.js
HighChild Processdist/util/mcp-discovery.js
HighShelldist/util/workspace.js
HighSame File Env Network Executiondist/util/marketplace.js
HighRuntime Package Installruntime/scripts/check-cli-tarball-install.mjs
HighShips High Entropy Blobruntime/packages/agenticros/agenticros-agenticros-0.0.1.tgz
MediumDynamic Requiredist/commands/skills-dev.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperruntime/scripts/start_demo.sh
MediumShips Compressed Blobruntime/packages/agenticros/agenticros-agenticros-0.0.1.tgz
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNested Archive Needs Inspectionruntime/packages/agenticros/agenticros-agenticros-0.0.1.tgz