registry  /  factory-ai  /  1.2.0

factory-ai@1.2.0

Deploy a private autonomous coding-agent factory on Azure: isolated builders, testers, security reviewers, durable orchestration, multi-model routing, memory, cost controls, and gated GitHub pull requests.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No unconsented install-time behavior is present. The package intentionally deploys and operates a first-party autonomous coding-agent service after explicit user commands.

Static reason
No blocking static signals were detected.
Trigger
User runs `factory setup` and enables the Azure-hosted runtime.
Impact
A user-authorized deployment can modify assigned repositories and maintain package-owned runtime services.
Mechanism
Package-owned agent orchestration, workspace editing, container execution, and scheduled self-update.
Rationale
Not malicious: source inspection found no lifecycle hook, covert exfiltration, foreign control-surface mutation, or stealth payload execution. Warn because it intentionally provisions persistent first-party autonomous agent infrastructure with repository-modifying capability.
Evidence
package.jsonbin/factorybootstrap/setup.shbootstrap/auto-update.shsrc/agent-executor.jssrc/workspace-tools.jssrc/container-runner.jssrc/process.js
Network endpoints3
registry.npmjs.org/factory-ai/latestmanagement.azure.comapi.telegram.org

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `bin/factory` explicit `setup` deploys Azure runtime.
  • `bootstrap/setup.sh` installs package-owned systemd services/timers.
  • `src/agent-executor.js` runs agent tasks against cloned workspaces.
  • `src/workspace-tools.js` permits bounded workspace writes and allowlisted commands.
  • `bootstrap/auto-update.sh` periodically updates the deployed runtime.
Evidence against
  • `package.json` has no npm lifecycle hooks.
  • No import-time execution beyond CLI/service entrypoints.
  • `src/process.js` uses `spawn` with `shell: false`, timeouts, and output caps.
  • `src/container-runner.js` uses read-only, dropped-capability containers.
  • Workspace tools restrict paths and deny git push/remote/credential operations.
  • No source evidence of credential exfiltration or covert external endpoint.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 38 file(s), 109 KB of source, external domains: api.ipify.org, api.telegram.org, github.com, management.azure.com, registry.npmjs.org

Source & flagged code

1 flagged · loading source
bootstrap/setup.shView file
path = bootstrap/setup.sh kind = build_helper sizeBytes = 7881 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

bootstrap/setup.shView on unpkg

Findings

4 Medium4 Low
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperbootstrap/setup.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings