registry  /  freddie  /  0.0.145

freddie@0.0.145

Open JS agent harness built on pi-mono, floosie, xstate, and anentrypoint-design

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No install-time or import-time malicious execution is confirmed. A model-visible core tool can persist arbitrary skill text under Freddie's own home, where it can affect later agent prompts.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
A runtime `skills_hub` tool invocation with `action: install`; the saved skill is used later when selected.
Impact
Persistent agent-behavior manipulation within `FREDDIE_HOME`; no foreign AI-agent config mutation or exfiltration chain is confirmed.
Mechanism
first-party persistent skill installation and prompt loading
Rationale
Source inspection finds a persistent package-owned skill installation mechanism but no concrete exfiltration, remote payload, install-time mutation, or foreign control-surface hijack. Downgrade to warn for the agent extension lifecycle risk.
Evidence
package.jsonbin/freddie.jssrc/toolsets.jssrc/skills/index.jsplugins/skills_hub/handler.jsplugins/homeassistant_tool/handler.jsplugins/send_message/handler.jsplugins/gm-skill/plugin.js${FREDDIE_HOME}/skills/<name>/SKILL.md

Decision evidence

public snapshot
AI called this Suspicious at 83.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `plugins/skills_hub/handler.js` writes caller-supplied `SKILL.md` into the persistent Freddie home.
  • `src/skills/index.js` recursively loads home `SKILL.md` files and exposes their bodies as agent user messages.
  • `plugins/skills_hub/handler.js` is a `core` tool; `src/toolsets.js` enables `core` by default.
Evidence against
  • `package.json` has no `preinstall`, `install`, `postinstall`, or `prepare` lifecycle hook.
  • `bin/freddie.js` only boots the host after an explicit CLI invocation.
  • `plugins/homeassistant_tool/handler.js` sends its token only to configured Home Assistant API calls.
  • `plugins/send_message/handler.js` dynamically imports only an allowlisted set of local platform modules.
  • `plugins/gm-skill/plugin.js` reads external skill paths but does not modify them.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
WildcardDependency
scanned 425 file(s), 547 KB of source, external domains: 127.0.0.1, api.byterover.com, api.hindsightai.com, api.honcho.dev, api.hunyuan.cloud.tencent.com, api.mem0.ai, api.moonshot.ai, api.moonshot.cn, api.nousresearch.com, api.openviking.com, api.osv.dev, api.retaindb.com, api.sgroup.qq.com, api.spotify.com, api.supermemory.ai, api.telegram.org, api.twilio.com, api.vercel.com, api.weixin.qq.com, api.x.ai, api.z.ai, app.daytona.io, cloudcode-pa.googleapis.com, discord.com, graph.facebook.com, homeassistant.local, html.duckduckgo.com, models.dev, oapi.dingtalk.com, oauth2.googleapis.com, open.bigmodel.cn, open.feishu.cn, openrouter.ai, qyapi.weixin.qq.com, raw.githubusercontent.com, serpapi.com, slack.com, www.apple.com, www.googleapis.com

Source & flagged code

3 flagged · loading source
plugins/send_message/handler.jsView file
19if (!mod) return { error: 'unknown platform: ' + platform } L20: const m = await import(mod) L21: const cls = Object.values(m)[0]
Medium
Dynamic Require

Package source references dynamic require/import behavior.

plugins/send_message/handler.jsView on unpkg · L19
plugins/platform-wecom_crypto/handler.jsView file
6export function decryptMsg(encryptedB64, encodingAesKey) { L7: const aesKey = Buffer.from(encodingAesKey + '=', 'base64') L8: const iv = aesKey.slice(0, 16)
Low
Weak Crypto

Package source references weak cryptographic algorithms.

plugins/platform-wecom_crypto/handler.jsView on unpkg · L6
plugins/homeassistant_tool/handler.jsView file
3toolset: 'core', L4: schema: { name: 'homeassistant_tool', description: 'Read state or call a service on Home Assistant.', parameters: { type: 'object', properties: { action: { type: 'string', enum: ['... L5: requiresEnv: ['HASS_TOKEN', 'HASS_URL'], L6: checkFn: () => Boolean(process.env.HASS_TOKEN), L7: handler: async ({ action, entity_id, domain, service, data = {} }) => { L8: const url = process.env.HASS_URL || 'http://homeassistant.local:8123' L9: const auth = { authorization: `Bearer ${process.env.HASS_TOKEN}` } L10: if (action === 'state') return await (await fetch(`${url}/api/states/${entity_id}`, { headers: auth })).json() L11: if (action === 'service') return await (await fetch(`${url}/api/services/${domain}/${service}`, { method: 'POST', headers: { ...auth, 'content-type': 'application/json' }, body: JS...
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

plugins/homeassistant_tool/handler.jsView on unpkg · L3

Findings

1 Critical4 Medium5 Low
CriticalCredential Exfiltrationplugins/homeassistant_tool/handler.js
MediumDynamic Requireplugins/send_message/handler.js
MediumNetwork
MediumEnvironment Vars
MediumWildcard Dependency
LowScripts Present
LowWeak Cryptoplugins/platform-wecom_crypto/handler.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings