registry  /  freddie  /  0.0.138

freddie@0.0.138

Open JS agent harness built on pi-mono, floosie, xstate, and anentrypoint-design

AI Security Review

scanned 4d ago · by lpm-firewall-ai

No confirmed malicious install-time, import-time, credential-exfiltration, or stealth-persistence chain. The package is an agent harness with user/model-invoked execution, messaging, and skill-management tools.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs the CLI or invokes configured agent tools.
Impact
High-privilege capabilities require deliberate runtime tool exposure, but no covert package attack behavior was found.
Mechanism
Declared plugin-based agent capabilities
Rationale
Static inspection finds a capability-rich but package-aligned agent framework, with no lifecycle execution or concrete unconsented exfiltration/persistence chain. Scanner findings map to opt-in Home Assistant, messaging, shell, MCP, and skill tools rather than malware behavior.
Evidence
package.jsonbin/freddie.jssrc/host/index.jssrc/host/host.jsplugins/homeassistant_tool/handler.jsplugins/send_message/handler.jsplugins/bash/handler.jsplugins/mcp_tool/handler.jsplugins/skills_sync/handler.jsplugins/skills_hub/handler.js

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with medium false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall, install, postinstall, or prepare lifecycle hook.
    • bin/freddie.js only boots the plugin host when the user runs the CLI.
    • plugins/homeassistant_tool/handler.js sends HASS_TOKEN only to the user-configured HASS_URL for explicit state/service actions.
    • plugins/send_message/handler.js restricts dynamic imports to a fixed local platform-module map.
    • plugins/bash/handler.js and plugins/mcp_tool/handler.js expose declared agent tools, not import-time execution.
    • plugins/skills_sync/handler.js and plugins/skills_hub/handler.js run only through explicit tool calls and write under Freddie's home.
    Behavioral surface
    Source
    ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
    Supply chain
    HighEntropyStringsUrlStrings
    Manifest
    WildcardDependency
    scanned 418 file(s), 531 KB of source, external domains: 127.0.0.1, api.byterover.com, api.hindsightai.com, api.honcho.dev, api.hunyuan.cloud.tencent.com, api.mem0.ai, api.moonshot.ai, api.moonshot.cn, api.nousresearch.com, api.openviking.com, api.osv.dev, api.retaindb.com, api.sgroup.qq.com, api.spotify.com, api.supermemory.ai, api.telegram.org, api.twilio.com, api.vercel.com, api.weixin.qq.com, api.x.ai, api.z.ai, app.daytona.io, cloudcode-pa.googleapis.com, discord.com, graph.facebook.com, homeassistant.local, html.duckduckgo.com, models.dev, oapi.dingtalk.com, oauth2.googleapis.com, open.bigmodel.cn, open.feishu.cn, openrouter.ai, qyapi.weixin.qq.com, raw.githubusercontent.com, serpapi.com, slack.com, www.apple.com, www.googleapis.com

    Source & flagged code

    3 flagged · loading source
    plugins/send_message/handler.jsView file
    19if (!mod) return { error: 'unknown platform: ' + platform } L20: const m = await import(mod) L21: const cls = Object.values(m)[0]
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    plugins/send_message/handler.jsView on unpkg · L19
    plugins/platform-wecom_crypto/handler.jsView file
    6export function decryptMsg(encryptedB64, encodingAesKey) { L7: const aesKey = Buffer.from(encodingAesKey + '=', 'base64') L8: const iv = aesKey.slice(0, 16)
    Low
    Weak Crypto

    Package source references weak cryptographic algorithms.

    plugins/platform-wecom_crypto/handler.jsView on unpkg · L6
    plugins/homeassistant_tool/handler.jsView file
    3toolset: 'core', L4: schema: { name: 'homeassistant_tool', description: 'Read state or call a service on Home Assistant.', parameters: { type: 'object', properties: { action: { type: 'string', enum: ['... L5: requiresEnv: ['HASS_TOKEN', 'HASS_URL'], L6: checkFn: () => Boolean(process.env.HASS_TOKEN), L7: handler: async ({ action, entity_id, domain, service, data = {} }) => { L8: const url = process.env.HASS_URL || 'http://homeassistant.local:8123' L9: const auth = { authorization: `Bearer ${process.env.HASS_TOKEN}` } L10: if (action === 'state') return await (await fetch(`${url}/api/states/${entity_id}`, { headers: auth })).json() L11: if (action === 'service') return await (await fetch(`${url}/api/services/${domain}/${service}`, { method: 'POST', headers: { ...auth, 'content-type': 'application/json' }, body: JS...
    Critical
    Credential Exfiltration

    Source appears to send environment or credential material to an external endpoint.

    plugins/homeassistant_tool/handler.jsView on unpkg · L3

    Findings

    1 Critical4 Medium5 Low
    CriticalCredential Exfiltrationplugins/homeassistant_tool/handler.js
    MediumDynamic Requireplugins/send_message/handler.js
    MediumNetwork
    MediumEnvironment Vars
    MediumWildcard Dependency
    LowScripts Present
    LowWeak Cryptoplugins/platform-wecom_crypto/handler.js
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings