AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious install-time or import-time behavior. The package is an agent harness with user- or model-invoked execution, messaging, integration, and skill-management tools.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
Running the CLI/agent and enabling or invoking a relevant tool.
Impact
Requested integrations may send messages, call services, or install skills, but no unsolicited exfiltration, persistence, or foreign control-surface mutation is established.
Mechanism
Explicit tool handlers use configured credentials, local commands, or fixed integration adapters.
Rationale
Static inspection shows an agent framework with broad but package-aligned, invoked capabilities. Scanner findings correspond to configured integration tools and protocol code, not a concrete malicious chain.
Evidence
package.jsonsrc/index.jsbin/freddie.jsplugins/homeassistant_tool/handler.jsplugins/send_message/handler.jsplugins/skills_sync/handler.jsplugins/skills_hub/handler.jssrc/host/index.jssrc/host/host.jssrc/toolsets.jssrc/auth.jsplugins/platform-wecom_crypto/handler.jssrc/cli/uninstall.js
Decision evidence
public snapshotAI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
- `plugins/skills_sync/handler.js` can clone/pull a caller-supplied Git repository into Freddie's own skills directory.
- `plugins/send_message/handler.js` dynamically imports only a fixed allowlist of bundled platform adapters.
- `plugins/homeassistant_tool/handler.js` sends `HASS_TOKEN` only to the configured Home Assistant URL during an invoked tool action.
Evidence against
- `package.json` defines no `preinstall`, `install`, or `postinstall` lifecycle hooks.
- `src/index.js` only exports modules; no import-time network, shell, or filesystem action is evident.
- `bin/freddie.js` boots the plugin host only when the user runs the CLI.
- `plugins/skills_hub/handler.js` fetches its catalog and writes skills only through explicit tool actions.
- `plugins/platform-wecom_crypto/handler.js` uses SHA-1/AES-CBC for WeCom protocol compatibility; no credential theft or exfiltration path is shown.
- No source inspected writes foreign AI-agent configuration or installs hooks/extensions outside Freddie-managed paths.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
HighEntropyStringsUrlStrings
WildcardDependency
Source & flagged code
3 flagged · loading sourceplugins/send_message/handler.jsView file
19if (!mod) return { error: 'unknown platform: ' + platform }
L20: const m = await import(mod)
L21: const cls = Object.values(m)[0]
Medium
Dynamic Require
Package source references dynamic require/import behavior.
plugins/send_message/handler.jsView on unpkg · L19plugins/platform-wecom_crypto/handler.jsView file
6export function decryptMsg(encryptedB64, encodingAesKey) {
L7: const aesKey = Buffer.from(encodingAesKey + '=', 'base64')
L8: const iv = aesKey.slice(0, 16)
Low
Weak Crypto
Package source references weak cryptographic algorithms.
plugins/platform-wecom_crypto/handler.jsView on unpkg · L6plugins/homeassistant_tool/handler.jsView file
3toolset: 'core',
L4: schema: { name: 'homeassistant_tool', description: 'Read state or call a service on Home Assistant.', parameters: { type: 'object', properties: { action: { type: 'string', enum: ['...
L5: requiresEnv: ['HASS_TOKEN', 'HASS_URL'],
L6: checkFn: () => Boolean(process.env.HASS_TOKEN),
L7: handler: async ({ action, entity_id, domain, service, data = {} }) => {
L8: const url = process.env.HASS_URL || 'http://homeassistant.local:8123'
L9: const auth = { authorization: `Bearer ${process.env.HASS_TOKEN}` }
L10: if (action === 'state') return await (await fetch(`${url}/api/states/${entity_id}`, { headers: auth })).json()
L11: if (action === 'service') return await (await fetch(`${url}/api/services/${domain}/${service}`, { method: 'POST', headers: { ...auth, 'content-type': 'application/json' }, body: JS...
Critical
Credential Exfiltration
Source appears to send environment or credential material to an external endpoint.
plugins/homeassistant_tool/handler.jsView on unpkg · L3Findings
1 Critical4 Medium5 Low
CriticalCredential Exfiltrationplugins/homeassistant_tool/handler.js
MediumDynamic Requireplugins/send_message/handler.js
MediumNetwork
MediumEnvironment Vars
MediumWildcard Dependency
LowScripts Present
LowWeak Cryptoplugins/platform-wecom_crypto/handler.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings