registry  /  autodev-ai  /  0.4.1

autodev-ai@0.4.1

AutoDev — Autonomous Engineering Team. DevTeam in a Box. Runs on pi.

AI Security Review

scanned 11d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is a high-privilege developer automation CLI with user-invoked installers, credential configuration, docs fetching, and uninstall cleanup.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `autodev` subcommands or install.sh manually.
Impact
Could modify local project/agent config or install/remove tools when explicitly invoked; no evidence of covert install-time execution or exfiltration.
Mechanism
User-invoked automation CLI with shell/package-manager/network operations.
Rationale
Static inspection found risky but package-aligned developer automation features activated by explicit CLI/install commands, with no lifecycle hook, covert credential harvesting, or unauthorized persistence. The scanner's secret and exfiltration hints map to tests, provider key validation, and embeddings functionality rather than malicious data flow.
Evidence
package.jsonscripts/cli.tsinstall.shextensions/autodev/installer/tools.tsextensions/autodev/installer/config-module.tsextensions/autodev/installer/uninstall-module.tsextensions/autodev/installer/key-validator.tsextensions/autodev/docs/seeding.tsextensions/autodev/embeddings.tsextensions/autodev/debug/__tests__/debug.test.ts~/.AutoDev/agent/.env~/.AutoDev/agent/auth.json~/.AutoDev/agent/models.json~/.bashrc~/.zshrc~/.profile~/.config/fish/config.fish.autodev/docs-corpus/
Network endpoints10
raw.githubusercontent.com/Homebrew/install/HEAD/install.shcli.github.com/packages/githubcli-archive-keyring.gpgdeb.nodesource.com/setup_lts.xapi.voyageai.com/v1/embeddingsollama.com/api/tagsapi.openai.com/v1/modelsapi.anthropic.com/v1/modelsgenerativelanguage.googleapis.com/v1beta/modelsdiscord.com/api/v10/users/@mebun.sh/install

Decision evidence

public snapshot
AI called this Clean at 82.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • scripts/cli.ts exposes user-invoked commands that run execSync for doctor/update/uninstall, including global self-update and cache deletion.
  • extensions/autodev/installer/tools.ts can bootstrap Homebrew via curl|bash and install system tools, but only from installer/doctor flows.
  • extensions/autodev/installer/config-module.ts prompts for API tokens and writes them to agent .env/auth files; key validation sends tokens only to matching provider endpoints.
  • extensions/autodev/docs/seeding.ts fetches or git-clones configured docs sources into a docs corpus.
  • extensions/autodev/installer/uninstall-module.ts removes ~/.AutoDev, ~/.pi, ~/.autodev and shell rc env lines when `autodev uninstall` is invoked.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks; execution is via bin `autodev`.
  • scripts/cli.ts loads local agent .env but does not exfiltrate it; networked operations are explicit config/update/docs commands.
  • extensions/autodev/embeddings.ts sends document/query text to VoyageAI only when VOYAGE_API_KEY is set, aligned with embeddings feature.
  • extensions/autodev/debug/__tests__/debug.test.ts contains fake test secret strings used to verify redaction, not live credentials.
  • No import-time persistence or unconsented AI-agent control-surface mutation found in inspected entrypoints.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 93 file(s), 669 KB of source, external domains: api.anthropic.com, api.context7.com, api.openai.com, api.voyageai.com, bun.sh, cli.github.com, deb.nodesource.com, discord.com, generativelanguage.googleapis.com, github.com, grep.app, ollama.com, raw.githubusercontent.com

Source & flagged code

10 flagged · loading source
extensions/autodev/debug/__tests__/debug.test.tsView file
247patternName = github_pat severity = critical line = 247 matchedText = github: ...34",
Critical
Critical Secret

Package contains a critical-looking secret pattern.

extensions/autodev/debug/__tests__/debug.test.tsView on unpkg · L247
247patternName = github_pat severity = critical line = 247 matchedText = github: ...34",
Critical
Secret Pattern

GitHub personal access token in extensions/autodev/debug/__tests__/debug.test.ts

extensions/autodev/debug/__tests__/debug.test.tsView on unpkg · L247
246patternName = google_api_key severity = high line = 246 matchedText = google: ...PQ",
High
Secret Pattern

Google API key in extensions/autodev/debug/__tests__/debug.test.ts

extensions/autodev/debug/__tests__/debug.test.tsView on unpkg · L246
extensions/autodev/background/manager.tsView file
150L151: spawn(config: SpawnConfig): string { L152: const id = this.nextId();
High
Child Process

Package source references child process execution.

extensions/autodev/background/manager.tsView on unpkg · L150
extensions/autodev/docs/seeding.tsView file
194const mdUrls: string[] = []; L195: let match: RegExpExecArray | null; L196: while ((match = linkRegex.exec(indexText)) !== null) {
High
Shell

Package source references shell execution.

extensions/autodev/docs/seeding.tsView on unpkg · L194
extensions/autodev/installer/uninstall-module.tsView file
181try { L182: const { execSync } = await import("node:child_process"); L183: const cmd = `npx @earendil-works/pi-coding-agent uninstall ${source}`; L184: execSync(cmd, { stdio: "pipe", timeout: 60_000, cwd: process.cwd() });
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

extensions/autodev/installer/uninstall-module.tsView on unpkg · L181
23const SHELL_RC_CANDIDATES = [ L24: ".bashrc", L25: ".zshrc", ... L55: const { notify } = deps; L56: const home = process.env.HOME ?? "~"; L57: const targets = [ ... L181: try { L182: const { execSync } = await import("node:child_process"); L183: const cmd = `npx @earendil-works/pi-coding-agent uninstall ${source}`; L184: execSync(cmd, { stdio: "pipe", timeout: 60_000, cwd: process.cwd() }); L185: notify(`Uninstalled ${source}`, "info");
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

extensions/autodev/installer/uninstall-module.tsView on unpkg · L23
extensions/autodev/embeddings.tsView file
37): Promise<Float32Array[]> { L38: const apiKey = process.env.VOYAGE_API_KEY; L39: if (!apiKey) throw new Error("VOYAGE_API_KEY not set"); ... L42: const batch = texts.slice(i, i + VOYAGE_BATCH_SIZE); L43: const res = await fetch("https://api.voyageai.com/v1/embeddings", { L44: method: "POST", ... L48: }, L49: body: JSON.stringify({ L50: model: "voyage-3", ... L55: if (!res.ok) { L56: throw new Error(`VoyageAI embeddings failed: ${res.status} ${await res.text()}`); L57: }
High
Credential Exfiltration

Source combines credential-like environment material and outbound requests; review data flow before blocking.

extensions/autodev/embeddings.tsView on unpkg · L37
extensions/autodev/installer/tools.tsView file
1import { execSync, type ExecSyncOptions } from "node:child_process"; L2: import { platform } from "node:os"; ... L59: function isNonInteractive(): boolean { L60: if (process.env.CI === "true" || process.env.CI === "1") return true; L61: if (process.stdout != null && process.stdout.isTTY === false) return true; L62: if (process.argv.includes("--yes") || process.argv.includes("-y")) return true; ... L65: L66: const HOMEBREW_BOOTSTRAP_URL = "https://raw.githubusercontent.[redacted].sh"; L67: ... L108: notify(`Installing Homebrew from ${HOMEBREW_BOOTSTRAP_URL}...`, "info"); L109: exec(`bash -c 'NONINTERACTIVE=1 /bin/bash -c "$(curl -fsSL ${HOMEBREW_BOOTSTRAP_URL})"`, { L110: stdio: "inherit",
Critical
Download Execute

Source downloads or fetches remote code and executes it.

extensions/autodev/installer/tools.tsView on unpkg · L1
install.shView file
path = install.sh kind = build_helper sizeBytes = 2692 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

install.shView on unpkg

Findings

3 Critical5 High5 Medium4 Low
CriticalCritical Secretextensions/autodev/debug/__tests__/debug.test.ts
CriticalDownload Executeextensions/autodev/installer/tools.ts
CriticalSecret Patternextensions/autodev/debug/__tests__/debug.test.ts
HighChild Processextensions/autodev/background/manager.ts
HighShellextensions/autodev/docs/seeding.ts
HighCredential Exfiltrationextensions/autodev/embeddings.ts
HighRuntime Package Installextensions/autodev/installer/uninstall-module.ts
HighSecret Patternextensions/autodev/debug/__tests__/debug.test.ts
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistenceextensions/autodev/installer/uninstall-module.ts
MediumShips Build Helperinstall.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings