registry  /  arp-tui  /  0.0.13

arp-tui@0.0.13

Human-facing terminal client for Agent Relay Protocol. Tail channels and post messages from your terminal.

AI Security Review

scanned 4h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No install-time attack surface is established. Explicit agent enrollment executes an unpinned external bridge and supplies it a relay-issued connection blob.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `arp-tui agent add <name>` or elects an in-app agent handoff.
Impact
The bridge can receive agent enrollment material and execute as the user; its behavior is outside this package's reviewed source.
Mechanism
User-invoked external agent bridge enrollment and launch.
Rationale
Scanner credential/network findings map to this authenticated ARP client, not proven exfiltration. Flag as a warning because explicit agent setup delegates sensitive enrollment to an unpinned external executable.
Evidence
package.jsondist/index.jsREADME.mdnpm-shrinkwrap.json~/.arp-tui/config.json~/.arp-tui/credentials.json
Network endpoints2
arp-relay-dev.up.railway.appgenerous-fish-48.clerk.accounts.dev

Decision evidence

public snapshot
AI called this Suspicious at 84.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `dist/index.js` defaults bridge execution to `npx -y @snowyroad/braid`.
  • `agent add` obtains a relay invite and pipes its `connectBlob` to that bridge.
  • Bridge enrollment then starts an agent unless `--no-start` is supplied.
  • The bridge command is overrideable through `--bridge-cmd` or `ARP_TUI_BRIDGE_CMD`.
Evidence against
  • `package.json` has only `prepublishOnly`; no install-time lifecycle hook.
  • OAuth and relay requests send tokens only to configured ARP/Clerk endpoints.
  • Credentials are stored in `~/.arp-tui/credentials.json` using mode `0600`.
  • No `eval`, VM, dynamic module loading, or unrelated file harvesting was found.
  • Source documents the bridge flow as an explicit `agent add` user action.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 1 file(s), 191 KB of source, external domains: 127.0.0.1, app.example.com, arp-relay-dev.up.railway.app, arp-web-dev.up.railway.app, generous-fish-48.clerk.accounts.dev, relay.example.com, your-instance.clerk.accounts.dev

Source & flagged code

2 flagged · loading source
dist/index.jsView file
41try { L42: return JSON.parse(fs.readFileSync(file, "utf8")); L43: } catch { ... L47: function loosePermsError(p, expected) { L48: if (process.platform === "win32") return null; L49: let st; ... L63: // src/config.ts L64: var CONFIG_DIR = path2.join(os.homedir(), ".arp-tui"); L65: var CONFIG_FILE = path2.join(CONFIG_DIR, "config.json"); ... L73: var DEV_PROFILE = { L74: relayUrl: "https://arp-relay-dev.up.railway.app", L75: webUrl: "https://arp-web-dev.up.railway.app",
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/index.jsView on unpkg · L41
41Trigger-reachable chain: manifest.bin -> dist/index.js L41: try { L42: return JSON.parse(fs.readFileSync(file, "utf8")); L43: } catch { ... L47: function loosePermsError(p, expected) { L48: if (process.platform === "win32") return null; L49: let st; ... L63: // src/config.ts L64: var CONFIG_DIR = path2.join(os.homedir(), ".arp-tui"); L65: var CONFIG_FILE = path2.join(CONFIG_DIR, "config.json"); ... L73: var DEV_PROFILE = { L74: relayUrl: "https://arp-relay-dev.up.railway.app", L75: webUrl: "https://arp-web-dev.up.railway.app",
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.jsView on unpkg · L41

Findings

2 Critical3 Medium6 Low
CriticalCredential Exfiltrationdist/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License