AI Security Review
scanned 9d ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. The package is an AI agent/CLI framework with user-invoked tools for shell execution, messaging, Home Assistant, LLM APIs, memory providers, and dashboard routes.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
Explicit CLI use, dashboard/API use, or agent tool invocation after installation.
Impact
Can execute commands or send data to configured services when users enable/invoke those tools, but no unconsented install-time execution or credential exfiltration was found.
Mechanism
Plugin-based agent tools and service integrations
Rationale
The suspicious primitives are aligned with an agent harness and service-integration package and are activated by explicit user/runtime tool use, not by npm lifecycle or import-time stealth behavior. The scanner's credential-exfiltration hint on Home Assistant is a false positive because the token is sent as the required bearer credential to the configured Home Assistant API.
Evidence
package.jsonbin/freddie.jssrc/index.jsplugins/homeassistant_tool/handler.jsplugins/send_message/handler.jsplugins/platform-wecom_crypto/handler.jsplugins/bash/handler.jsplugins/code_execution/handler.js~/.freddie auth/config/session/state paths at runtimeproject files via explicit edit/patch/checkpoint tools at runtime
Network endpoints10
homeassistant.local:8123open.feishu.cnapi.spotify.com/v1api.telegram.orgdiscord.com/api/v10slack.com/apiapi.openrouter.aiapi.hunyuan.cloud.tencent.comapi.osv.dev/v1/queryraw.githubusercontent.com/AnEntrypoint/freddie-skills/main/index.json
Decision evidence
public snapshotAI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for block
- Runtime includes user-invoked shell/code tools such as plugins/bash/handler.js and plugins/code_execution/handler.js.
- Network integrations send configured tokens to their intended APIs when invoked, e.g. HASS_URL, Discord, Slack.
Evidence against
- package.json has no preinstall/install/postinstall scripts; scripts are start/test/build-only.
- bin/freddie.js only boots host and registers CLI commands; no hidden install-time mutation.
- plugins/homeassistant_tool/handler.js uses HASS_TOKEN only as Authorization to HASS_URL/Home Assistant API.
- plugins/send_message/handler.js dynamic import is enum-gated to fixed platform module paths.
- plugins/platform-wecom_crypto/handler.js implements WeCom signature/decryption helpers; no outbound network or persistence.
- Scans show network endpoints are named service integrations, LLM providers, local servers, or user-configured URLs.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
HighEntropyStringsUrlStrings
WildcardDependency
Source & flagged code
3 flagged · loading sourceplugins/send_message/handler.jsView file
19if (!mod) return { error: 'unknown platform: ' + platform }
L20: const m = await import(mod)
L21: const cls = Object.values(m)[0]
Medium
Dynamic Require
Package source references dynamic require/import behavior.
plugins/send_message/handler.jsView on unpkg · L19plugins/platform-wecom_crypto/handler.jsView file
6export function decryptMsg(encryptedB64, encodingAesKey) {
L7: const aesKey = Buffer.from(encodingAesKey + '=', 'base64')
L8: const iv = aesKey.slice(0, 16)
Low
Weak Crypto
Package source references weak cryptographic algorithms.
plugins/platform-wecom_crypto/handler.jsView on unpkg · L6plugins/homeassistant_tool/handler.jsView file
3toolset: 'core',
L4: schema: { name: 'homeassistant_tool', description: 'Read state or call a service on Home Assistant.', parameters: { type: 'object', properties: { action: { type: 'string', enum: ['...
L5: requiresEnv: ['HASS_TOKEN', 'HASS_URL'],
L6: checkFn: () => Boolean(process.env.HASS_TOKEN),
L7: handler: async ({ action, entity_id, domain, service, data = {} }) => {
L8: const url = process.env.HASS_URL || 'http://homeassistant.local:8123'
L9: const auth = { authorization: `Bearer ${process.env.HASS_TOKEN}` }
L10: if (action === 'state') return await (await fetch(`${url}/api/states/${entity_id}`, { headers: auth })).json()
L11: if (action === 'service') return await (await fetch(`${url}/api/services/${domain}/${service}`, { method: 'POST', headers: { ...auth, 'content-type': 'application/json' }, body: JS...
Critical
Credential Exfiltration
Source appears to send environment or credential material to an external endpoint.
plugins/homeassistant_tool/handler.jsView on unpkg · L3Findings
1 Critical4 Medium5 Low
CriticalCredential Exfiltrationplugins/homeassistant_tool/handler.js
MediumDynamic Requireplugins/send_message/handler.js
MediumNetwork
MediumEnvironment Vars
MediumWildcard Dependency
LowScripts Present
LowWeak Cryptoplugins/platform-wecom_crypto/handler.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings