registry  /  autodev-ai  /  0.5.1

autodev-ai@0.5.1

AutoDev — Autonomous Engineering Team. DevTeam in a Box. Runs on pi.

AI Security Review

scanned 11d ago · by lpm-firewall-ai

A real unresolved command-injection risk exists in the Discord slash-command bridge. It is activated by a Discord message handled by the configured bot, not by package install or import.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
Configured Discord bridge receives /autodev task <args>.
Impact
A Discord user able to send bot commands could execute local shell commands as the AutoDev process user.
Mechanism
shell command injection through execSync string interpolation
Attack narrative
If the Discord bridge is enabled, a sender can invoke /autodev task with shell metacharacters. handleTaskCommand interpolates that text into a gh issue create command passed to execSync, so shell command substitution can run before gh executes. This is a critical remote command injection exposure, but inspection did not find install-time execution, credential harvesting, or confirmed exfiltration payloads.
Rationale
The package is not clearly malicious at install/import time, and most network/shell behavior is package-aligned and user-invoked. However, the Discord slash command path contains a concrete remote command execution vulnerability, so it should warn rather than be marked clean.
Evidence
package.jsonscripts/cli.tsextensions/autodev/discord/slash.tsextensions/autodev/installer/tools.tsextensions/autodev/installer/uninstall-module.tsextensions/autodev/docs/seeding.tsextensions/autodev/embeddings.tsextensions/autodev/debug/__tests__/debug.test.tsinstall.sh
Network endpoints6
discord.com/api/v10api.voyageai.com/v1/embeddingsraw.githubusercontent.com/Homebrew/install/HEAD/install.shcli.github.com/packagesdeb.nodesource.com/setup_lts.xbun.sh/install

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Critical Vulnerability with medium false-positive risk.
Evidence for warning
  • extensions/autodev/discord/slash.ts builds execSync shell strings from Discord command args in handleTaskCommand.
  • /autodev task only escapes double quotes; shell metacharacters like command substitution remain inside the execSync command string.
  • scripts/cli.ts update runs user-invoked npm/bun self-update and rm -rf of bun cache, not install-time.
  • extensions/autodev/installer/tools.ts can curl/bash Homebrew and install OS tools, but only via installer/doctor flow.
  • extensions/autodev/embeddings.ts sends document/query text to VoyageAI with VOYAGE_API_KEY when docs embedding is invoked.
Evidence against
  • package.json has no preinstall/postinstall lifecycle hooks.
  • bin entry is scripts/cli.ts; import-time behavior is limited to function definitions until import.meta.main.
  • extensions/autodev/debug/__tests__/debug.test.ts contains test fake secret data for redaction, not live credentials.
  • Network endpoints are aligned with documented features: Discord, GitHub/npm update, Voyage embeddings, docs seeding, installer validation.
  • Uninstall destructive rmSync targets are explicit AutoDev home/config/state paths and require autodev uninstall.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 93 file(s), 672 KB of source, external domains: api.anthropic.com, api.context7.com, api.openai.com, api.voyageai.com, bun.sh, cli.github.com, deb.nodesource.com, discord.com, generativelanguage.googleapis.com, github.com, grep.app, ollama.com, raw.githubusercontent.com

Source & flagged code

11 flagged · loading source
extensions/autodev/debug/__tests__/debug.test.tsView file
247patternName = github_pat severity = critical line = 247 matchedText = github: ...34",
Critical
Critical Secret

Package contains a critical-looking secret pattern.

extensions/autodev/debug/__tests__/debug.test.tsView on unpkg · L247
247patternName = github_pat severity = critical line = 247 matchedText = github: ...34",
Critical
Secret Pattern

GitHub personal access token in extensions/autodev/debug/__tests__/debug.test.ts

extensions/autodev/debug/__tests__/debug.test.tsView on unpkg · L247
246patternName = google_api_key severity = high line = 246 matchedText = google: ...PQ",
High
Secret Pattern

Google API key in extensions/autodev/debug/__tests__/debug.test.ts

extensions/autodev/debug/__tests__/debug.test.tsView on unpkg · L246
extensions/autodev/background/manager.tsView file
150L151: spawn(config: SpawnConfig): string { L152: const id = this.nextId();
High
Child Process

Package source references child process execution.

extensions/autodev/background/manager.tsView on unpkg · L150
extensions/autodev/docs/seeding.tsView file
194const mdUrls: string[] = []; L195: let match: RegExpExecArray | null; L196: while ((match = linkRegex.exec(indexText)) !== null) {
High
Shell

Package source references shell execution.

extensions/autodev/docs/seeding.tsView on unpkg · L194
extensions/autodev/installer/uninstall-module.tsView file
181try { L182: const { execSync } = await import("node:child_process"); L183: const cmd = `npx @earendil-works/pi-coding-agent uninstall ${source}`; L184: execSync(cmd, { stdio: "pipe", timeout: 60_000, cwd: process.cwd() });
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

extensions/autodev/installer/uninstall-module.tsView on unpkg · L181
23const SHELL_RC_CANDIDATES = [ L24: ".bashrc", L25: ".zshrc", ... L55: const { notify } = deps; L56: const home = process.env.HOME ?? "~"; L57: const targets = [ ... L181: try { L182: const { execSync } = await import("node:child_process"); L183: const cmd = `npx @earendil-works/pi-coding-agent uninstall ${source}`; L184: execSync(cmd, { stdio: "pipe", timeout: 60_000, cwd: process.cwd() }); L185: notify(`Uninstalled ${source}`, "info");
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

extensions/autodev/installer/uninstall-module.tsView on unpkg · L23
extensions/autodev/embeddings.tsView file
37): Promise<Float32Array[]> { L38: const apiKey = process.env.VOYAGE_API_KEY; L39: if (!apiKey) throw new Error("VOYAGE_API_KEY not set"); ... L42: const batch = texts.slice(i, i + VOYAGE_BATCH_SIZE); L43: const res = await fetch("https://api.voyageai.com/v1/embeddings", { L44: method: "POST", ... L48: }, L49: body: JSON.stringify({ L50: model: "voyage-3", ... L55: if (!res.ok) { L56: throw new Error(`VoyageAI embeddings failed: ${res.status} ${await res.text()}`); L57: }
High
Credential Exfiltration

Source combines credential-like environment material and outbound requests; review data flow before blocking.

extensions/autodev/embeddings.tsView on unpkg · L37
extensions/autodev/installer/tools.tsView file
1import { execSync, type ExecSyncOptions } from "node:child_process"; L2: import { platform } from "node:os"; ... L59: function isNonInteractive(): boolean { L60: if (process.env.CI === "true" || process.env.CI === "1") return true; L61: if (process.stdout != null && process.stdout.isTTY === false) return true; L62: if (process.argv.includes("--yes") || process.argv.includes("-y")) return true; ... L65: L66: const HOMEBREW_BOOTSTRAP_URL = "https://raw.githubusercontent.[redacted].sh"; L67: ... L108: notify(`Installing Homebrew from ${HOMEBREW_BOOTSTRAP_URL}...`, "info"); L109: exec(`bash -c 'NONINTERACTIVE=1 /bin/bash -c "$(curl -fsSL ${HOMEBREW_BOOTSTRAP_URL})"`, { L110: stdio: "inherit",
Critical
Download Execute

Source downloads or fetches remote code and executes it.

extensions/autodev/installer/tools.tsView on unpkg · L1
install.shView file
path = install.sh kind = build_helper sizeBytes = 2692 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

install.shView on unpkg
extensions/autodev/discord/slash.tsView file
matchType = previous_version_dangerous_delta matchedPackage = autodev-ai@0.5.0 matchedIdentity = npm:YXV0b2Rldi1haQ:0.5.0 similarity = 0.946 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

extensions/autodev/discord/slash.tsView on unpkg

Findings

4 Critical5 High5 Medium4 Low
CriticalCritical Secretextensions/autodev/debug/__tests__/debug.test.ts
CriticalDownload Executeextensions/autodev/installer/tools.ts
CriticalPrevious Version Dangerous Deltaextensions/autodev/discord/slash.ts
CriticalSecret Patternextensions/autodev/debug/__tests__/debug.test.ts
HighChild Processextensions/autodev/background/manager.ts
HighShellextensions/autodev/docs/seeding.ts
HighCredential Exfiltrationextensions/autodev/embeddings.ts
HighRuntime Package Installextensions/autodev/installer/uninstall-module.ts
HighSecret Patternextensions/autodev/debug/__tests__/debug.test.ts
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistenceextensions/autodev/installer/uninstall-module.ts
MediumShips Build Helperinstall.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings