registry  /  agentlas  /  0.5.5

agentlas@0.5.5

Agentlas agent terminal — chat with your installed AI agents and teams from the terminal, Claude Code style. Standalone: no desktop app required.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No install-time attack behavior is present. A user-invoked Codex runtime failure can trigger a guarded repair that changes the user's Codex plugin configuration.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs Agentlas with the Codex runtime; Codex exits without text and reports an OAuth-related MCP failure.
Impact
Can alter a third-party AI-agent configuration and create a backup; source restricts repair to host-matched plugin entries.
Mechanism
Automatically disables a matched OAuth MCP plugin after inspecting Codex error output and plugin cache.
Rationale
Source inspection found no concrete credential exfiltration, remote payload execution, or install-time persistence. Automatic mutation of `~/.codex/config.toml` after a runtime failure creates a guarded AI-agent extension lifecycle risk that warrants a warning, not a block.
Evidence
package.jsonbin/agentlas.cjsengine/agentlas-native-host.cjsengine/agentlas-doctor.cjsengine/agentlas.cjsengine/agentlas-api-agent.cjs~/.codex/config.toml~/.codex/config.toml.bak-doctor-<timestamp>~/.codex/auth.json<Agentlas user data>/runtime-homes/codex/config.toml
Network endpoints4
agentlas.cloudagentlas.cloud/api/mcp/v1api.anthropic.com/v1/messagesapi.openai.com/v1/chat/completions

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `engine/agentlas-native-host.cjs` auto-runs Runtime Doctor after a failed Codex execution.
  • `engine/agentlas-doctor.cjs` can back up and edit `~/.codex/config.toml`, disabling a detected plugin without separate confirmation.
  • `engine/agentlas-native-host.cjs` creates isolated `CODEX_HOME` and may link or copy existing `~/.codex/auth.json` into it.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall` lifecycle hook.
  • `bin/agentlas.cjs` bootstraps local Agentlas SQLite data only when the user invokes the CLI.
  • Network calls target configured AI providers and Agentlas Cloud routes in user-invoked API, login, search, upload, or update features.
  • No `eval`, VM execution, remote code loader, or install-time network activity was found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 21 file(s), 741 KB of source, external domains: 127.0.0.1, agentlas.cloud, api.anthropic.com, api.deepseek.com, api.moonshot.ai, api.openai.com, api.upstage.ai, api.z.ai, generativelanguage.googleapis.com, github.com, registry.npmjs.org

Source & flagged code

7 flagged · loading source
bin/agentlas.cjsView file
23const path = require("node:path"); L24: const { spawn } = require("node:child_process"); L25:
High
Child Process

Package source references child process execution.

bin/agentlas.cjsView on unpkg · L23
20L21: const fs = require("node:fs"); L22: const os = require("node:os");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/agentlas.cjsView on unpkg · L20
engine/agentlas-parity.cjsView file
325? "설치 또는 지정: HEPHAESTUS_CAREER_GRAPH_BIN=<경로> 또는 HEPHAESTUS_RUNTIME_ROOT=<경로>\n" L326: : "설치: https://agentlas.cloud · 또는 HEPHAESTUS_BIN=<경로> 지정\n", L327: ); ... L334: found.kind === "bin" L335: ? spawn(found.exec, isCareerGraph ? args.slice(1) : args, { cwd, stdio: "inherit" }) L336: : spawn("python3", ["-c", PY_BOOTSTRAP, moduleName, ...moduleArgs], { ... L338: stdio: "inherit", L339: env: { ...process.env, HEPHAESTUS_RUNTIME_ROOT: found.root }, L340: });
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

engine/agentlas-parity.cjsView on unpkg · L325
18const crypto = require("node:crypto"); L19: const { spawn } = require("node:child_process"); L20: const { Ui } = require("./agentlas-ui.cjs"); ... L37: function createLoginState(randomBytes = crypto.randomBytes) { L38: const bytes = Buffer.from(randomBytes(32)); L39: if (bytes.length !== 32) throw new Error("로그인 state 생성에 실패했습니다."); ... L59: try { L60: url = new URL(String(rawUrl || "/"), "http://127.0.0.1"); L61: } catch { ... L129: const candidates = [ L130: process.env.HEPHAESTUS_BIN, L131: path.join(os.homedir(), ".agentlas", "runtime", "current", "bin", "hephaestus"),
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

engine/agentlas-parity.cjsView on unpkg · L18
engine/agentlas.cjsView file
7785if (backend === "google") { L7786: const url = `https://generativelanguage.googleapis.com/v1beta/models/${model}:generateContent?key=${encodeURIComponent(key)}`; L7787: const resp = await fetchImpl(url, { ... L7789: headers: { "content-type": "application/json" }, L7790: body: JSON.stringify({ systemInstruction: { parts: [{ text: system }] }, contents: [{ role: "user", parts: [{ text: prompt }] }] }), L7791: }); ... L7799: L7800: // 1회 실행 — CLI면 spawn(스트리밍 stdout), API면 호출 후 텍스트 출력. 종료코드 반환. L7801: // ctx = { projectPath, agentId } — 메모리 주입/큐레이션에 사용.
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

engine/agentlas.cjsView on unpkg · L7785
test/smoke.shView file
path = test/smoke.sh kind = payload_in_excluded_dir sizeBytes = 3496 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

test/smoke.shView on unpkg
path = test/smoke.sh kind = build_helper sizeBytes = 3496 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

test/smoke.shView on unpkg

Findings

6 High5 Medium4 Low
HighChild Processbin/agentlas.cjs
HighShell
HighSame File Env Network Executionengine/agentlas-parity.cjs
HighCommand Output Exfiltrationengine/agentlas.cjs
HighSandbox Evasion Gated Capabilityengine/agentlas-parity.cjs
HighPayload In Excluded Dirtest/smoke.sh
MediumDynamic Requirebin/agentlas.cjs
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpertest/smoke.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings