registry  /  customize-agent  /  2.1.1

customize-agent@2.1.1

通用终端 AI 助手 — 原生 Function Calling + 双语 TUI + 三级模型分层

AI Security Review

scanned 3h ago · by lpm-firewall-ai

When a user runs `customize`, the CLI starts a detached Next.js dashboard that defaults to binding `0.0.0.0`. Its unauthenticated `/api/prompt` route can read, create, change, or delete `CUSTOMIZE.md` for project directories listed in the package-owned registry.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs the `customize` CLI and the dashboard starts on port 17321–17325.
Impact
A reachable network client could alter the target project's agent instructions in `CUSTOMIZE.md`, influencing subsequent Customize Agent behavior.
Mechanism
Unauthenticated dashboard API exposed on a non-loopback default binding.
Rationale
Static inspection resolves the package as a legitimate user-invoked AI CLI/dashboard rather than malware: it has no registry install hook, foreign AI-agent control-surface mutation, remote payload execution, persistence chain, or exfiltration path. However, the dashboard is started detached with a default `0.0.0.0` binding and exposes unauthenticated project prompt-file mutation. This is a concrete critical vulnerability, not evidence that the author is attacking users, so it should warn rather than block publication.
Evidence
package.jsondist/index.jsdist/server/apps/server/server.jsdist/agent/tool-registry.jsdist/server/apps/server/.next/server/pages/api/prompt.jsdist/server/apps/server/.next/server/chunks/76.js~/.customize-agent/logs/dashboard-<port>.log~/.customize-agent/projects/registry.db<registered-project>/CUSTOMIZE.md
Network endpoints1
localhost:17321/api/health

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
  • `dist/index.js` runs only when the user invokes the `customize` CLI; it has no npm `preinstall`, `install`, or `postinstall` trigger.
  • `dist/index.js` spawns the bundled dashboard as a detached process, writes `~/.customize-agent/logs/dashboard-<port>.log`, and checks `http://localhost:<port>/api/health`.
  • `dist/server/apps/server/server.js` sets the dashboard hostname from `HOSTNAME` with a default of `0.0.0.0`, so the user-invoked local dashboard can listen on non-loopback interfaces.
  • `dist/server/apps/server/.next/server/pages/api/prompt.js` exposes unauthenticated GET, PUT, and DELETE operations for `CUSTOMIZE.md` in project directories recorded in `~/.customize-agent/projects/registry.db`; it rejects paths inside `~/.customize-agent` and requires the basename to be `CUSTOMIZE.md`.
  • `dist/agent/tool-registry.js` loads MCP commands only from the package-owned `~/.customize-agent/mcp.json`; no code inspected writes `.mcp.json`, `CLAUDE.md`, `.claude`, `.codex`, Cursor configuration, VCS hooks, shell startup files, or OS service entries.
  • The flagged 2.46 MB `dist/server/apps/server/.next/server/chunks/76.js` begins as a normal generated Next.js/Ant Design server chunk and includes bundled framework/provider code; no encoded payload decoder, remote JavaScript loader, or execution chain was confirmed.
Evidence against
  • No remote JavaScript, shell-command, paste/blob/json-storage payload fetch-and-execute path was found in the inspected CLI, agent, configuration, server entry, or flagged bundle evidence.
  • No credential collection or exfiltration endpoint was confirmed; the package’s declared provider domains are consistent with user-configured LLM API use.
  • The detached process is a package-aligned dashboard started only from the explicit `customize` command, not during npm installation.
  • The version’s new static assets and oversized server chunk are explainable as a bundled Next.js dashboard release rather than a standalone staged payload.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 143 file(s), 787 KB of source, external domains: api.anthropic.com, api.deepseek.com, generativelanguage.googleapis.com, github.com, openrouter.ai

Source & flagged code

3 flagged · loading source
dist/server/apps/server/.next/server/chunks/76.jsView file
path = dist/server/apps/server/.next/server/chunks/76.js kind = payload_in_excluded_dir sizeBytes = 2458830 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

dist/server/apps/server/.next/server/chunks/76.jsView on unpkg
path = dist/server/apps/server/.next/server/chunks/76.js kind = oversized_source_file sizeBytes = 2458830 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/server/apps/server/.next/server/chunks/76.jsView on unpkg
dist/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = customize-agent@2.1.0 matchedIdentity = npm:Y3VzdG9taXplLWFnZW50:2.1.0 similarity = 0.933 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/index.jsView on unpkg

Findings

1 Critical2 High3 Medium4 Low
CriticalPrevious Version Dangerous Deltadist/index.js
HighPayload In Excluded Dirdist/server/apps/server/.next/server/chunks/76.js
HighOversized Source Filedist/server/apps/server/.next/server/chunks/76.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings