AI Security Review
scanned 3h ago · by lpm-firewall-aiNo unconsented install-time or import-time attack behavior is present. The package intentionally orchestrates Azure, GitHub, Docker, and model APIs after explicit user CLI or service deployment actions.
Static reason
No blocking static signals were detected.
Trigger
Explicit factory CLI commands or deployed Factory AI services.
Impact
Can clone, modify, commit, and push repositories and access configured cloud secrets as part of its advertised automation; no covert exfiltration or foreign AI-agent control-surface mutation was confirmed.
Mechanism
User-configured coding-agent orchestration with scoped workspace tools and container execution.
Rationale
Direct source inspection shows a feature-aligned, explicitly invoked autonomous development/deployment tool with deliberate process, workspace, and container restrictions. No lifecycle execution, hidden payload, credential exfiltration, or covert persistence chain was found.
Evidence
package.jsonbin/factorysrc/process.jssrc/workspace-tools.jssrc/container-runner.jssrc/agent-executor.jssrc/mcp-tools.jssrc/updater.jsbootstrap/auto-update.shbootstrap/setup.sh
Network endpoints3
registry.npmjs.org/factory-ai/latestapi.ipify.orggithub.com/itsvedantkumar/factory-ai/releases/download/v$version
Decision evidence
public snapshotAI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no preinstall/install/postinstall/prepare hooks.
- bin/factory performs deployment, secret, and remote actions only through explicit CLI subcommands.
- src/process.js uses spawn with shell:false plus time/output limits.
- src/workspace-tools.js confines agent file access to a workspace and command execution to an allowlist.
- src/container-runner.js starts restricted containers with read-only rootfs and dropped capabilities.
- src/updater.js only queries the npm registry; bootstrap/auto-update.sh verifies provenance before updates.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcebootstrap/setup.shView file
•path = bootstrap/setup.sh
kind = build_helper
sizeBytes = 11100
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
bootstrap/setup.shView on unpkgFindings
4 Medium4 Low
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperbootstrap/setup.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings