registry  /  agentools  /  2.12.30

agentools@2.12.30

Universal skill, workflow & global rules manager for AI coding assistants with bi-directional GitHub sync

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Confirmed install-time mutation of a foreign AI-agent MCP control surface. The postinstall script silently adds or repairs an enabled Bitwarden MCP server in Antigravity config if the directory exists.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install of agentools@2.12.30
Impact
Antigravity may later run a newly configured npx-launched MCP server with Bitwarden-related environment placeholders or repaired settings.
Mechanism
unconsented postinstall AI-agent MCP config mutation
Policy narrative
On npm install, package.json invokes scripts/postinstall.js. That script detects Antigravity via platforms.js and, unless AI_AGENT_NO_AUTOCONFIG is set, writes ~/.gemini/antigravity/mcp_config.json to add or enable a bitwarden MCP server using npx -y @bitwarden/mcp-server. This mutates a broad AI-agent control surface before the user runs an explicit agentools command.
Rationale
The source shows unconsented postinstall mutation of a foreign AI-agent MCP configuration, which matches the block policy even though broader package functionality is aligned with AI-agent config management. No separate exfiltration chain was found, but the install-time control-surface write is concrete. Product guard normalized a concrete AI-agent control hijack publish_block to the blockable dangerous-capability shape.
Evidence
package.jsonscripts/postinstall.jsscripts/platforms.js~/.gemini/antigravity/mcp_config.json

Decision evidence

public snapshot
AI called this Malicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
  • package.json runs node scripts/postinstall.js on npm postinstall
  • scripts/postinstall.js writes Antigravity MCP config during install when ~/.gemini/antigravity exists
  • postinstall adds/enables bitwarden MCP with command npx and args [-y,@bitwarden/mcp-server]
  • opt-out requires AI_AGENT_NO_AUTOCONFIG; no explicit install-time consent prompt
  • scripts/platforms.js identifies Antigravity config path as ~/.gemini/antigravity/mcp_config.json
Evidence against
  • Main package purpose is AI-agent skill/config management across platforms
  • Postinstall targets a specific detected platform and preserves existing config keys
  • No source evidence of credential exfiltration or destructive filesystem behavior in postinstall
  • CLI installs skills/MCP/rules mostly through explicit user commands
  • Bitwarden tools list disables many high-risk org/send operations
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 12 file(s), 159 KB of source, external domains: github.com, vault.bitwarden.com

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts/secret-manager.jsView file
7const path = require("path"); L8: const { execSync, spawnSync } = require("child_process"); L9: const os = require("os"); L10: L11: const HOME = os.homedir(); L12: ... L36: }); L37: const output = result.stdout || ""; L38: const json = JSON.parse(output.trim()); L39: return json.status; // "unauthenticated", "locked", "unlocked" ... L48: function loginBitwarden() { L49: const clientId = process.env.BW_CLIENTID;
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

scripts/secret-manager.jsView on unpkg · L7
scripts/postinstall.jsView file
29Install-time AI-agent control hijack evidence: L79: try { L80: let mcpConfig = { mcpServers: {} }; L81: ... L91: let changed = false; L92: if (!mcpConfig.mcpServers.bitwarden) { L93: mcpConfig.mcpServers.bitwarden = { L94: command: "npx", ... L106: // Ensure correct env var names even if already exists L107: const bw = mcpConfig.mcpServers.bitwarden; L108: if (!bw.env.BW_SESSION || !bw.env.BW_CLIENT_ID || !bw.env.BW_CLIENT_SECRET || bw.disabled) { ... L127: if (changed) { L128: fs.writeFileSync( Payload evidence from scripts/mcp-installer.js: L29: L30: const expanded = repoLocal.replace(/^~/, process.env.HOME || process.env.USERPROFILE); L31: const mcpDir = path.join(expanded, ".agents", "mcp-servers"); ... L80: try { L81: const config = JSON.parse(fs.readFileSync(configPath, "utf-8")); L82: const validation = validateMcpConfig(config); ... L155: // Only on Unix-like systems (macOS, Linux) - Windows uses ACL instead L156: if (process.platform !== "win32") { L157: try {
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/postinstall.jsView on unpkg · L29

Findings

1 Critical1 High4 Medium4 Low
CriticalAi Agent Control Hijackscripts/postinstall.js
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
MediumInstall Persistencescripts/secret-manager.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings