registry  /  bobbytools  /  2.1.0

bobbytools@2.1.0

AI Provider Manager & CLI Launcher — manage multiple AI providers, accounts, and models, then launch any CLI tool with the right environment variables

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs an interactive or `bobby go` session selecting `opencode`.
Impact
A user-selected plugin identifier and API key can be persisted in a foreign AI CLI configuration; downstream OpenCode behavior controls any plugin resolution.
Mechanism
Explicit OpenCode configuration mutation and credentialed CLI launch.
Rationale
No concrete malicious or install-time behavior was found. Warn because explicit user-triggered mutation of a foreign AI CLI configuration can enable downstream plugin execution with persisted credentials.
Evidence
package.jsonbin/bobby.jssrc/index.jssrc/config.jssrc/launcher.jssrc/server.jssrc/accounts.jssrc/models.jssrc/providers.jssrc/templates.js~/.bobbytools/config.json~/.config/opencode/opencode.json
Network endpoints2
api.openai.com/v1openrouter.ai/api/v1

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `src/launcher.js` writes API keys and provider settings to `~/.config/opencode/opencode.json`.
  • That write occurs when the user explicitly launches an `opencode` session.
  • `src/providers.js` lets the user set an arbitrary `opencodeNpm` plugin identifier, later copied into OpenCode config.
  • `src/launcher.js` runs a user-selected CLI command with configured credentials in environment variables.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
  • Entrypoint `bin/bobby.js` only calls the interactive CLI main function.
  • Config persistence is scoped to `~/.bobbytools`; no broad credential harvesting was found.
  • Network requests target configured AI providers for model checks, tests, and the explicit local router.
  • No eval, VM, native loading, hidden payload, destructive action, or external credential exfiltration found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 11 file(s), 75.7 KB of source, external domains: 127.0.0.1, ai.genfity.com, api-inference.huggingface.co, api.cerebras.ai, api.cf.com, api.chutes.ai, api.cloudflare.com, api.cohere.com, api.deepinfra.com, api.deepseek.com, api.fireworks.ai, api.groq.com, api.lepton.ai, api.mistral.ai, api.novita.ai, api.openai.com, api.perplexity.ai, api.sambanova.ai, api.together.xyz, api.x.ai, generativelanguage.googleapis.com, models.inference.ai.azure.com, openrouter.ai

Source & flagged code

1 flagged · loading source
src/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = bobbytools@2.0.3 matchedIdentity = npm:Ym9iYnl0b29scw:2.0.3 similarity = 0.800 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/index.jsView on unpkg

Findings

1 High2 Medium4 Low
HighPrevious Version Dangerous Deltasrc/index.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings