registry  /  factory-ai  /  1.5.0

factory-ai@1.5.0

Deploy a private autonomous coding-agent factory on Azure: isolated builders, testers, security reviewers, durable orchestration, multi-model routing, memory, cost controls, and gated GitHub pull requests.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No unconsented install-time or import-time attack behavior is present. The package intentionally orchestrates Azure, GitHub, Docker, and model APIs after explicit user CLI or service deployment actions.

Static reason
No blocking static signals were detected.
Trigger
Explicit factory CLI commands or deployed Factory AI services.
Impact
Can clone, modify, commit, and push repositories and access configured cloud secrets as part of its advertised automation; no covert exfiltration or foreign AI-agent control-surface mutation was confirmed.
Mechanism
User-configured coding-agent orchestration with scoped workspace tools and container execution.
Rationale
Direct source inspection shows a feature-aligned, explicitly invoked autonomous development/deployment tool with deliberate process, workspace, and container restrictions. No lifecycle execution, hidden payload, credential exfiltration, or covert persistence chain was found.
Evidence
package.jsonbin/factorysrc/process.jssrc/workspace-tools.jssrc/container-runner.jssrc/agent-executor.jssrc/mcp-tools.jssrc/updater.jsbootstrap/auto-update.shbootstrap/setup.sh
Network endpoints3
registry.npmjs.org/factory-ai/latestapi.ipify.orggithub.com/itsvedantkumar/factory-ai/releases/download/v$version

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall/prepare hooks.
    • bin/factory performs deployment, secret, and remote actions only through explicit CLI subcommands.
    • src/process.js uses spawn with shell:false plus time/output limits.
    • src/workspace-tools.js confines agent file access to a workspace and command execution to an allowlist.
    • src/container-runner.js starts restricted containers with read-only rootfs and dropped capabilities.
    • src/updater.js only queries the npm registry; bootstrap/auto-update.sh verifies provenance before updates.
    Behavioral surface
    Source
    ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 55 file(s), 186 KB of source, external domains: 127.0.0.1, api.ipify.org, api.telegram.org, github.com, management.azure.com, registry.npmjs.org

    Source & flagged code

    1 flagged · loading source
    bootstrap/setup.shView file
    path = bootstrap/setup.sh kind = build_helper sizeBytes = 11100 magicHex = [redacted]
    Medium
    Ships Build Helper

    Package ships non-JavaScript build or shell helper files.

    bootstrap/setup.shView on unpkg

    Findings

    4 Medium4 Low
    MediumNetwork
    MediumEnvironment Vars
    MediumShips Build Helperbootstrap/setup.sh
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings