registry  /  arp-tui  /  0.0.1

arp-tui@0.0.1

Human-facing terminal client for Agent Relay Protocol. Tail channels and post messages from your terminal.

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The CLI performs user-invoked OAuth and authenticated relay communication for its stated terminal-client function.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `arp-tui login`, `arp-tui`, or another CLI command.
Impact
Stores its own credentials locally and sends them only as authentication to configured service endpoints.
Mechanism
OAuth token management and authenticated REST/WebSocket relay client.
Rationale
The scanner’s credential/network findings correspond to the documented OAuth login and authenticated relay client. Source inspection found no lifecycle execution on install, exfiltration to an unrelated endpoint, stealth persistence, or destructive behavior.
Evidence
package.jsonREADME.mddist/index.js
Network endpoints4
arp-relay-dev.up.railway.apparp-web-dev.up.railway.appgenerous-fish-48.clerk.accounts.devws(s)://<configured relay>/ws/client

Decision evidence

public snapshot
AI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • `package.json` has only `prepublishOnly`; no install-time hook.
    • `dist/index.js` runs as the user-invoked CLI bin.
    • OAuth browser launch and loopback callback occur only for `login`.
    • Tokens are stored under `~/.arp-tui` with directory/file modes 0700/0600.
    • Bearer tokens are sent only to configured ARP relay, OAuth, and WebSocket endpoints.
    • No eval, dynamic loading, shell payload, broad file harvesting, or AI-agent config writes found.
    Behavioral surface
    Source
    ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
    Supply chain
    HighEntropyStringsUrlStrings
    Manifest
    NoLicense
    scanned 1 file(s), 81.5 KB of source, external domains: 127.0.0.1, app.example.com, arp-relay-dev.up.railway.app, arp-web-dev.up.railway.app, generous-fish-48.clerk.accounts.dev, relay.example.com, your-instance.clerk.accounts.dev

    Source & flagged code

    2 flagged · loading source
    dist/index.jsView file
    41try { L42: return JSON.parse(fs.readFileSync(file, "utf8")); L43: } catch { ... L47: function loosePermsError(p, expected) { L48: if (process.platform === "win32") return null; L49: let st; ... L63: // src/config.ts L64: var CONFIG_DIR = path2.join(os.homedir(), ".arp-tui"); L65: var CONFIG_FILE = path2.join(CONFIG_DIR, "config.json"); ... L73: var DEV_PROFILE = { L74: relayUrl: "https://arp-relay-dev.up.railway.app", L75: webUrl: "https://arp-web-dev.up.railway.app",
    Critical
    Credential Exfiltration

    Source appears to send environment or credential material to an external endpoint.

    dist/index.jsView on unpkg · L41
    41Trigger-reachable chain: manifest.bin -> dist/index.js L41: try { L42: return JSON.parse(fs.readFileSync(file, "utf8")); L43: } catch { ... L47: function loosePermsError(p, expected) { L48: if (process.platform === "win32") return null; L49: let st; ... L63: // src/config.ts L64: var CONFIG_DIR = path2.join(os.homedir(), ".arp-tui"); L65: var CONFIG_FILE = path2.join(CONFIG_DIR, "config.json"); ... L73: var DEV_PROFILE = { L74: relayUrl: "https://arp-relay-dev.up.railway.app", L75: webUrl: "https://arp-web-dev.up.railway.app",
    Critical
    Trigger Reachable Dangerous Capability

    A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

    dist/index.jsView on unpkg · L41

    Findings

    2 Critical3 Medium6 Low
    CriticalCredential Exfiltrationdist/index.js
    CriticalTrigger Reachable Dangerous Capabilitydist/index.js
    MediumNetwork
    MediumEnvironment Vars
    MediumStructural Risk Force Deep Review
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings
    LowNo License