registry  /  archal  /  0.10.0

archal@0.10.0

Test your agents & integrations against service clones

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No unconsented install-time attack behavior was found. The main risky surface is explicit CLI/autoloop operation that uploads artifacts to Archal/E2B and configures a sandboxed Codex workspace.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User invokes archal CLI autoloop/observability workflows.
Impact
User-authorized repo snapshots, traces, logs, and setup patches may be sent to Archal/E2B/GitHub during those workflows.
Mechanism
explicit agent-testing sandbox orchestration and setup PR generation
Rationale
Source inspection shows a legitimate agent/service-clone testing CLI with high-privilege behavior only under explicit user commands or sandbox execution, not install/import-time compromise. Agent configuration writes are first-party and sandbox/user-command scoped, so this should not be publish-blocked.
Evidence
package.jsonbin/archal.cjsdist/index.cjsdist/cli.cjsdist/commands/autoloop-worker.cjsdist/sdk/index.cjsrepo/.codex/skills~/.codex/config.toml.archal/autoloop
Network endpoints5
www.archal.aiapi.archal.aiapi.github.comwww.archal.ai/api/traces/otlpus.i.posthog.com

Decision evidence

public snapshot
AI called this Suspicious at 84.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/commands/autoloop-worker.cjs builds sandbox scripts that copy package skills into repo/.codex/skills and write ~/.codex/config.toml inside the E2B sandbox.
  • dist/commands/autoloop-worker.cjs uploads trace/repo artifacts to E2B sandbox.files.write during explicit autoloop worker execution.
  • dist/cli.cjs observability setup can open GitHub PRs that add Archal OTLP instrumentation when user runs observability setup-pr.
Evidence against
  • package.json has no preinstall/install/postinstall; prepare points to absent scripts/prepare.cjs and is not a registry install hook.
  • bin/archal.cjs only requires dist/cli.cjs when the CLI is invoked.
  • dist/index.cjs only re-exports the SDK; no import-time shell or network action found.
  • Network endpoints are package-aligned: archal.ai/api.archal.ai, GitHub API, E2B, and PostHog telemetry.
  • Command execution and repo mutation are tied to explicit CLI/autoloop sandbox workflows, with redaction logic for secrets.
  • Scanner eval/obfuscation hits are bundled library/parser patterns, not hidden payload execution.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsObfuscatedTelemetryUrlStrings
Manifest
NoLicense
scanned 18 file(s), 6.56 MB of source, external domains: acme.supabase.co, api.anthropic.com, api.apify.com, api.archal.ai, api.atlassian.com, api.deepseek.com, api.github.com, api.linear.app, api.openai.com, api.ramp.com, api.stripe.com, api.tavily.com, api.unipile.com, archal.ai, archalforge8f96908966.blob.core.windows.net, discord.com, generativelanguage.googleapis.com, github.com, json-schema.org, openrouter.ai, raw.githubusercontent.com, sentry.io, slack.com, spec.openapis.org, stackoverflow.com, tools.ietf.org, twin-default.supabase.co, us.i.posthog.com, www.archal.ai, www.googleapis.com, www.safaribooksonline.com, www.w3.org
Oversized source lightweight scan
dist/cli.cjs5.84 MB file, sampled 256 KB
NetworkChildProcessEnvironmentVarsCryptoHighEntropyStringsUrlStringsacme.supabase.coapi.anthropic.comapi.deepseek.comapi.github.comapi.openai.comgenerativelanguage.googleapis.comopenrouter.aiwww.archal.ai

Source & flagged code

12 flagged · loading source
dist/sdk/index.cjsView file
14220patternName = github_pat severity = critical line = 14220 matchedText = var GITH...Tt";
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/sdk/index.cjsView on unpkg · L14220
14220patternName = github_pat severity = critical line = 14220 matchedText = var GITH...Tt";
Critical
Secret Pattern

GitHub personal access token in dist/sdk/index.cjs

dist/sdk/index.cjsView on unpkg · L14220
14221patternName = slack_bot_token severity = critical line = 14221 matchedText = var SLAC...Wx";
Critical
Secret Pattern

Slack bot token in dist/sdk/index.cjs

dist/sdk/index.cjsView on unpkg · L14221
14223patternName = stripe_live_secret severity = critical line = 14223 matchedText = var STRI...89";
Critical
Secret Pattern

Stripe live secret key in dist/sdk/index.cjs

dist/sdk/index.cjsView on unpkg · L14223
dist/vitest/chunk-2PDHTPZC.jsView file
3750import { createHash, randomUUID } from "crypto"; L3751: import { spawn } from "child_process"; L3752: import { promises as fs } from "fs";
High
Child Process

Package source references child process execution.

dist/vitest/chunk-2PDHTPZC.jsView on unpkg · L3750
dist/commands/autoloop-worker.cjsView file
56module.exports = __toCommonJS(autoloop_worker_exports); L57: var import_node_child_process5 = require("child_process"); L58: var import_node_crypto14 = require("crypto"); ... L196: ]; L197: function [redacted](exitCode) { L198: return exitCode === 124 ? "timeout" : "failed"; ... L410: const candidates = /* @__PURE__ */ new Set(); L411: if (typeof __dirname === "string") { L412: candidates.add((0, import_node_path.join)(__dirname, "..", "package.json")); L413: candidates.add((0, import_node_path.join)(__dirname, "..", "..", "package.json")); ... L418: try { L419: return JSON.parse((0, import_node_fs.readFileSync)(path, "utf-8"));
Critical
Command Output Exfiltration

Source executes local commands and sends command output to an external endpoint.

dist/commands/autoloop-worker.cjsView on unpkg · L56
31029}; L31030: function shellJson(value) { L31031: return JSON.stringify(value);
High
Shell

Package source references shell execution.

dist/commands/autoloop-worker.cjsView on unpkg · L31029
35297"const seedLoadInfrastructurePattern = /Failed to load seed into [\\s\\S]{0,200} service \\((?:0|502|503|504)\\)|clone control endpoint did not accept seed state|TWIN_WORKER_PROXY_... L35298: "const evalServerInfrastructurePattern = /(?:infrastructure connectivity failure|(?:analytics\\/)?eval(?:uation)? server[^\\n]{0,240}(?:not running|unreachable))/i;", L35299: "const dependencyInstallPattern = /(?:uv|pip3?|python\\s+-m\\s+pip|poetry|npm|pnpm|yarn)[\\s\\S]{0,1200}(?:Failed to download|Failed to fetch|error sending request|Could not resolv...
High
Eval

Package source references dynamic code evaluation.

dist/commands/autoloop-worker.cjsView on unpkg · L35297
56module.exports = __toCommonJS(autoloop_worker_exports); L57: var import_node_child_process5 = require("child_process"); L58: var import_node_crypto14 = require("crypto"); ... L196: ]; L197: function [redacted](exitCode) { L198: return exitCode === 124 ? "timeout" : "failed"; ... L410: const candidates = /* @__PURE__ */ new Set(); L411: if (typeof __dirname === "string") { L412: candidates.add((0, import_node_path.join)(__dirname, "..", "package.json")); L413: candidates.add((0, import_node_path.join)(__dirname, "..", "..", "package.json")); ... L418: try { L419: return JSON.parse((0, import_node_fs.readFileSync)(path, "utf-8"));
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/commands/autoloop-worker.cjsView on unpkg · L56
bin/archal.cjsView file
2L3: const { existsSync } = require("node:fs"); L4: const { join } = require("node:path");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/archal.cjsView on unpkg · L2
dist/cli.cjsView file
path = dist/cli.cjs kind = oversized_source_file sizeBytes = 6125704 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/cli.cjsView on unpkg
path = dist/cli.cjs kind = oversized_cli_entrypoint sizeBytes = 6125704 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

dist/cli.cjsView on unpkg

Findings

5 Critical5 High5 Medium8 Low
CriticalCritical Secretdist/sdk/index.cjs
CriticalCommand Output Exfiltrationdist/commands/autoloop-worker.cjs
CriticalSecret Patterndist/sdk/index.cjs
CriticalSecret Patterndist/sdk/index.cjs
CriticalSecret Patterndist/sdk/index.cjs
HighChild Processdist/vitest/chunk-2PDHTPZC.js
HighShelldist/commands/autoloop-worker.cjs
HighEvaldist/commands/autoloop-worker.cjs
HighObfuscated Payload Loaderdist/commands/autoloop-worker.cjs
HighOversized Source Filedist/cli.cjs
MediumDynamic Requirebin/archal.cjs
MediumNetwork
MediumEnvironment Vars
MediumOversized Cli Entrypointdist/cli.cjs
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowNo License