AI Security Review
scanned 13d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established by source inspection. Risky primitives are explicit agent features gated by CLI/tool invocation or user configuration, not install-time or import-time behavior.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs freddie CLI/dashboard or an agent invokes configured tools.
Impact
No unconsented credential harvesting, persistence, destructive action, or hidden exfiltration identified.
Mechanism
plugin-based AI agent harness with user-invoked tools and provider integrations
Rationale
Static inspection shows a legitimate plugin-driven AI agent CLI with explicit shell, network, credential, and messaging capabilities, but no lifecycle execution or covert credential exfiltration. Scanner-critical Home Assistant finding is a false positive because the token is used as authorization to the configured Home Assistant endpoint during explicit tool execution.
Evidence
package.jsonbin/freddie.jssrc/host/index.jssrc/host/host.jssrc/auth.jsplugins/homeassistant_tool/handler.jsplugins/platform-wecom_crypto/handler.jsplugins/send_message/handler.jsplugins/bash/handler.jsplugins/code_execution/handler.js~/.freddie/auth/*.json<FREDDIE_HOME>/trajectories/*.json
Decision evidence
public snapshotAI called this Clean at 84.0% confidence as Benign with low false-positive risk.
Evidence for block
- User-invoked agent tools include shell/code execution in plugins/bash/handler.js and plugins/code_execution/handler.js.
- Plugin discovery can load local user plugins from FREDDIE_HOME or cwd .freddie paths in src/host/index.js.
Evidence against
- package.json has no install/preinstall/postinstall lifecycle scripts; bin only boots CLI plugins.
- plugins/homeassistant_tool/handler.js sends HASS_TOKEN only to configured HASS_URL/Home Assistant API for explicit tool calls.
- plugins/platform-wecom_crypto/handler.js implements WeCom signature/decrypt helpers; SHA1 is protocol-aligned, not payload logic.
- plugins/send_message/handler.js imports only a fixed allowlist of platform adapters, not arbitrary user-controlled modules.
- src/auth.js stores credentials locally under Freddie home with mode 0600; gui-auth masks values on read.
- LLM/network calls are package-aligned agent, dashboard, messaging, memory, and provider integrations; no hidden import-time exfiltration found.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
HighEntropyStringsUrlStrings
GitDependencyWildcardDependency
Source & flagged code
3 flagged · loading sourceplugins/send_message/handler.jsView file
19if (!mod) return { error: 'unknown platform: ' + platform }
L20: const m = await import(mod)
L21: const cls = Object.values(m)[0]
Medium
Dynamic Require
Package source references dynamic require/import behavior.
plugins/send_message/handler.jsView on unpkg · L19plugins/platform-wecom_crypto/handler.jsView file
6export function decryptMsg(encryptedB64, encodingAesKey) {
L7: const aesKey = Buffer.from(encodingAesKey + '=', 'base64')
L8: const iv = aesKey.slice(0, 16)
Low
Weak Crypto
Package source references weak cryptographic algorithms.
plugins/platform-wecom_crypto/handler.jsView on unpkg · L6plugins/homeassistant_tool/handler.jsView file
3toolset: 'core',
L4: schema: { name: 'homeassistant_tool', description: 'Read state or call a service on Home Assistant.', parameters: { type: 'object', properties: { action: { type: 'string', enum: ['...
L5: requiresEnv: ['HASS_TOKEN', 'HASS_URL'],
L6: checkFn: () => Boolean(process.env.HASS_TOKEN),
L7: handler: async ({ action, entity_id, domain, service, data = {} }) => {
L8: const url = process.env.HASS_URL || 'http://homeassistant.local:8123'
L9: const auth = { authorization: `Bearer ${process.env.HASS_TOKEN}` }
L10: if (action === 'state') return await (await fetch(`${url}/api/states/${entity_id}`, { headers: auth })).json()
L11: if (action === 'service') return await (await fetch(`${url}/api/services/${domain}/${service}`, { method: 'POST', headers: { ...auth, 'content-type': 'application/json' }, body: JS...
Critical
Credential Exfiltration
Source appears to send environment or credential material to an external endpoint.
plugins/homeassistant_tool/handler.jsView on unpkg · L3Findings
1 Critical5 Medium5 Low
CriticalCredential Exfiltrationplugins/homeassistant_tool/handler.js
MediumDynamic Requireplugins/send_message/handler.js
MediumNetwork
MediumEnvironment Vars
MediumGit Dependency
MediumWildcard Dependency
LowScripts Present
LowWeak Cryptoplugins/platform-wecom_crypto/handler.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings