registry  /  jeeves-agent  /  1.4.0

jeeves-agent@1.4.0

Jeeves Agent — 多Agent AI 管家。基于 Flue (Pi) + Tavily + Playwright MCP,一条命令部署

AI Security Review

scanned 1h ago · by lpm-firewall-ai

No confirmed malicious attack surface found by source inspection. Risky primitives are part of the advertised AI agent CLI/server functionality and are activated by user commands or environment configuration, not install-time execution.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs jeeves chat/serve/schedule/config or enables JEEVES_MCP_BROWSER=true
Impact
No evidence of credential harvesting, exfiltration, persistence outside package-owned files, or unconsented AI-agent control-surface mutation.
Mechanism
User-invoked local AI agent server, optional browser MCP, Tavily search tools, and package-owned config writes
Rationale
Source inspection shows no lifecycle hooks or automatic install-time mutation; network, shell, and file writes are package-aligned AI agent features gated by explicit runtime use or env configuration. No credential exfiltration, remote payload loading beyond user-enabled npx tools, destructive behavior, or foreign AI-agent control hijack was found.
Evidence
package.jsonbin/jeeves.jssrc/app.tssrc/cli/server.mjssrc/cli/schedules.mjssrc/cli/config.mjssrc/cli/setup.mjssrc/agents/jeeves.tssrc/tools/web.ts~/.jeeves/schedules.yaml~/.jeeves/BUTLER.md~/.jeeves/config.yaml~/.jeeves/sessions.json~/.jeeves/project./.env
Network endpoints4
api.tavily.com/searchapi.tavily.com/extractlocalhost:8931/mcplocalhost:<port>/

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall lifecycle hooks.
    • bin/jeeves.js only dispatches explicit CLI commands via local source imports.
    • src/app.ts spawns Playwright MCP only when JEEVES_MCP_BROWSER=true at runtime.
    • src/cli/server.mjs starts local Flue dev server via user-invoked chat/serve flow.
    • src/tools/web.ts sends user search/extract requests only to Tavily API.
    • Writes are limited to package-owned config/session/schedule/memory files under .jeeves or local .env.
    Behavioral surface
    Source
    ChildProcessEnvironmentVarsFilesystemNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 15 file(s), 44.6 KB of source, external domains: api.tavily.com, crontab.guru, platform.deepseek.com, tavily.com

    Source & flagged code

    6 flagged · loading source
    src/app.tsView file
    8import { readFileSync } from 'fs'; L9: import { spawn } from 'child_process'; L10: import { join } from 'path';
    High
    Child Process

    Package source references child process execution.

    src/app.tsView on unpkg · L8
    23windowsHide: true, L24: shell: true, L25: });
    High
    Shell

    Package source references shell execution.

    src/app.tsView on unpkg · L23
    20const MCP_PORT = 8931; L21: const mcpProcess = spawn('npx', ['@playwright/mcp@latest', '--port', String(MCP_PORT), '--headless'], { L22: stdio: 'ignore',
    High
    Runtime Package Install

    Package source invokes a package manager install command at runtime.

    src/app.tsView on unpkg · L20
    src/cli/schedules.mjsView file
    13function getSchedulePath() { L14: return join(homedir(), '.jeeves', 'schedules.yaml'); L15: } ... L34: # L35: # 更多: https://crontab.guru/ L36:
    Medium
    Install Persistence

    Source writes installer persistence such as shell profile or service configuration.

    src/cli/schedules.mjsView on unpkg · L13
    src/cli/server.mjsView file
    matchType = previous_version_dangerous_delta matchedPackage = jeeves-agent@1.3.3 matchedIdentity = npm:amVldmVzLWFnZW50:1.3.3 similarity = 0.933 summary = stored previous version shares package body but lacks this dangerous source file
    Critical
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

    src/cli/server.mjsView on unpkg
    76if (running) { L77: console.log(`${C.green}Flue 已在线${C.reset} (http://localhost:${serverPort})`); L78: return serverPort; ... L84: return new Promise((resolve, reject) => { L85: serverProcess = spawn('npx', ['@flue/cli', 'dev'], { L86: cwd: PROJECT_DIR, ... L88: shell: true, L89: env: { ...process.env }, L90: });
    High
    Same File Env Network Execution

    A single source file combines environment access, network access, and code or shell execution; review context before blocking.

    src/cli/server.mjsView on unpkg · L76

    Findings

    1 Critical4 High4 Medium4 Low
    CriticalPrevious Version Dangerous Deltasrc/cli/server.mjs
    HighChild Processsrc/app.ts
    HighShellsrc/app.ts
    HighSame File Env Network Executionsrc/cli/server.mjs
    HighRuntime Package Installsrc/app.ts
    MediumNetwork
    MediumEnvironment Vars
    MediumInstall Persistencesrc/cli/schedules.mjs
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings