registry  /  brettai  /  0.3.0

brettai@0.3.0

Brett — coding agent

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack surface was found, but the package is an AI coding-agent CLI with shell execution, repository file mutation, remote chat/transcript sync, and self-update behavior. These capabilities are package-aligned and user-invoked rather than install-time compromise.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs `brett`, `brett login`, `brett connect`, or approves agent actions in the CLI.
Impact
Can read project files, modify repository files, execute approved commands, save session transcripts remotely, and update itself when launched from a global install.
Mechanism
user-invoked coding agent with gated shell execution, reviewed file writes, remote API sync, and package self-update
Rationale
Source inspection supports a warning for dangerous AI-agent capabilities and package-owned self-update, but not a publish block because execution and file mutation are user-invoked and guarded with no install-time malicious behavior found. Network endpoints and stored tokens are aligned with the Brett CLI service.
Evidence
package.jsondist/index.js~/.brett/auth.json~/.brett/prefs.jsonuser-selected repository files
Network endpoints3
szocqslnprdbvmwmsamf.supabase.covericlaw-coding-agent-production.up.railway.appregistry.npmjs.org/brettai/latest

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/index.js is a coding-agent CLI that can execute model-proposed shell commands via child_process.exec after gating/permission checks.
  • dist/index.js applies AI-generated diffs to project files with writeFileSync after interactive review.
  • dist/index.js self-updates at CLI startup from node_modules via `npm install -g brettai@latest --force`.
  • dist/index.js sends chat, transcripts, memory, billing, and identity requests to package platform endpoints.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks.
  • bin entry is explicit user-invoked CLI `brett`; no install-time execution found.
  • Command execution blocks network tools and write primitives, warns on destructive commands, and asks permission unless auto/full mode is selected.
  • Path writes are constrained to the selected repository root and reviewed as diffs.
  • Supabase JWT-like value is an anon key used for package login, not a private credential harvested from users.
Behavioral surface
Source
ChildProcessEnvironmentVarsNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 1 file(s), 60.6 KB of source, external domains: registry.npmjs.org, szocqslnprdbvmwmsamf.supabase.co, vericlaw-coding-agent-production.up.railway.app

Source & flagged code

5 flagged · loading source
dist/index.jsView file
2patternName = supabase_service_key severity = critical line = 2 matchedText = var Er=O...${t}
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/index.jsView on unpkg · L2
2patternName = supabase_service_key severity = critical line = 2 matchedText = var Er=O...${t}
Critical
Secret Pattern

Supabase service role key (JWT) in dist/index.js

dist/index.jsView on unpkg · L2
1#!/usr/bin/env node L2: var Er=Object.defineProperty;var Vt=(t,e)=>()=>(t&&(e=t(t=0)),e);var en=(t,e)=>{for(var n in e)Er(t,n,{get:e[n],enumerable:!0})};import{readFileSync as qr,writeFileSync as Vr,mkdir... L3: ${e}`,o=r.match(/Logged in to [\w.]+ account (\S+)/i)||r.match(/Logged in to [\w.]+ as (\S+)/i);return n===0&&o?{installed:!0,authed:!0,account:o[1],detail:`Connected as ${o[1]}`}:...
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L1
1#!/usr/bin/env node L2: var Er=Object.defineProperty;var Vt=(t,e)=>()=>(t&&(e=t(t=0)),e);var en=(t,e)=>{for(var n in e)Er(t,n,{get:e[n],enumerable:!0})};import{readFileSync as qr,writeFileSync as Vr,mkdir... L3: ${e}`,o=r.match(/Logged in to [\w.]+ account (\S+)/i)||r.match(/Logged in to [\w.]+ as (\S+)/i);return n===0&&o?{installed:!0,authed:!0,account:o[1],detail:`Connected as ${o[1]}`}:...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.jsView on unpkg · L1
1#!/usr/bin/env node L2: var Er=Object.defineProperty;var Vt=(t,e)=>()=>(t&&(e=t(t=0)),e);var en=(t,e)=>{for(var n in e)Er(t,n,{get:e[n],enumerable:!0})};import{readFileSync as qr,writeFileSync as Vr,mkdir... L3: ${e}`,o=r.match(/Logged in to [\w.]+ account (\S+)/i)||r.match(/Logged in to [\w.]+ as (\S+)/i);return n===0&&o?{installed:!0,authed:!0,account:o[1],detail:`Connected as ${o[1]}`}:... L4: `)}async function Xn(t){let e=st[t];if(!e)return`Unknown connector "${t}". Available: ${Object.keys(st).join(", ")}.`;let n=await e.check();return n.authed?`${e.name}: ${n.detail}....
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.jsView on unpkg · L1

Findings

2 Critical3 High2 Medium4 Low
CriticalCritical Secretdist/index.js
CriticalSecret Patterndist/index.js
HighChild Processdist/index.js
HighSame File Env Network Executiondist/index.js
HighCommand Output Exfiltrationdist/index.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings
LowNo License