AI Security Review
scanned 3h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No install-time attack surface is established. Explicit agent enrollment executes an unpinned external bridge and supplies it a relay-issued connection blob.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `arp-tui agent add <name>` or elects an in-app agent handoff.
Impact
The bridge can receive agent enrollment material and execute as the user; its behavior is outside this package's reviewed source.
Mechanism
User-invoked external agent bridge enrollment and launch.
Rationale
Scanner credential/network findings map to this authenticated ARP client, not proven exfiltration. Flag as a warning because explicit agent setup delegates sensitive enrollment to an unpinned external executable.
Evidence
package.jsondist/index.jsREADME.mdnpm-shrinkwrap.json~/.arp-tui/config.json~/.arp-tui/credentials.json
Network endpoints2
arp-relay-dev.up.railway.appgenerous-fish-48.clerk.accounts.dev
Decision evidence
public snapshotAI called this Suspicious at 84.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- `dist/index.js` defaults bridge execution to `npx -y @snowyroad/braid`.
- `agent add` obtains a relay invite and pipes its `connectBlob` to that bridge.
- Bridge enrollment then starts an agent unless `--no-start` is supplied.
- The bridge command is overrideable through `--bridge-cmd` or `ARP_TUI_BRIDGE_CMD`.
Evidence against
- `package.json` has only `prepublishOnly`; no install-time lifecycle hook.
- OAuth and relay requests send tokens only to configured ARP/Clerk endpoints.
- Credentials are stored in `~/.arp-tui/credentials.json` using mode `0600`.
- No `eval`, VM, dynamic module loading, or unrelated file harvesting was found.
- Source documents the bridge flow as an explicit `agent add` user action.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcedist/index.jsView file
41try {
L42: return JSON.parse(fs.readFileSync(file, "utf8"));
L43: } catch {
...
L47: function loosePermsError(p, expected) {
L48: if (process.platform === "win32") return null;
L49: let st;
...
L63: // src/config.ts
L64: var CONFIG_DIR = path2.join(os.homedir(), ".arp-tui");
L65: var CONFIG_FILE = path2.join(CONFIG_DIR, "config.json");
...
L73: var DEV_PROFILE = {
L74: relayUrl: "https://arp-relay-dev.up.railway.app",
L75: webUrl: "https://arp-web-dev.up.railway.app",
Critical
Credential Exfiltration
Source appears to send environment or credential material to an external endpoint.
dist/index.jsView on unpkg · L4141Trigger-reachable chain: manifest.bin -> dist/index.js
L41: try {
L42: return JSON.parse(fs.readFileSync(file, "utf8"));
L43: } catch {
...
L47: function loosePermsError(p, expected) {
L48: if (process.platform === "win32") return null;
L49: let st;
...
L63: // src/config.ts
L64: var CONFIG_DIR = path2.join(os.homedir(), ".arp-tui");
L65: var CONFIG_FILE = path2.join(CONFIG_DIR, "config.json");
...
L73: var DEV_PROFILE = {
L74: relayUrl: "https://arp-relay-dev.up.railway.app",
L75: webUrl: "https://arp-web-dev.up.railway.app",
Critical
Trigger Reachable Dangerous Capability
A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/index.jsView on unpkg · L41Findings
2 Critical3 Medium6 Low
CriticalCredential Exfiltrationdist/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License