registry  /  jeeves-agent  /  1.4.1

jeeves-agent@1.4.1

Jeeves Agent — 多Agent AI 管家。基于 Flue (Pi) + Tavily + Playwright MCP,一条命令部署

AI Security Review

scanned 1h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack chain, but the package intentionally provides an AI agent with local command/file capabilities and optional browser automation. Activation is explicit CLI/server use or configured cron/webhook input, not npm install.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs jeeves chat/serve/setup/schedule or configures Telegram/cron/browser features
Impact
Potentially broad local actions if prompted or remotely reachable via configured webhook, aligned with package purpose
Mechanism
user-invoked local AI agent with shell/file/browser tools
Rationale
jeeves-agent@1.4.1 is not malicious by source inspection, but it is a user-invoked AI agent with local shell/file/browser capabilities and configured external inputs, so warning is appropriate for dangerous dual-use capability. The scanner’s npx/spawn and persistence hints map to explicit runtime setup and package-owned config rather than unconsented install-time compromise.
Evidence
package.jsonbin/jeeves.jssrc/app.tssrc/agents/jeeves.tssrc/tools/web.tssrc/cli/server.mjssrc/cli/setup.mjssrc/cli/schedules.mjssrc/cli/config.mjssrc/cli/sessions.mjs~/.jeeves/BUTLER.md~/.jeeves/schedules.yaml~/.jeeves/config.yaml~/.jeeves/sessions.json~/.jeeves/project.env
Network endpoints4
api.tavily.com/searchapi.tavily.com/extractlocalhost:8931/mcplocalhost:3583

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • src/agents/jeeves.ts creates an AI agent with local() sandbox and instructions advertising bash/write/read/ls/rm/mkdir tools.
  • src/app.ts dispatches prompts from ~/.jeeves/schedules.yaml on cron and from Telegram webhook text when TELEGRAM_BOT_TOKEN is set.
  • src/app.ts can spawn npx @playwright/mcp@latest when JEEVES_MCP_BROWSER=true.
  • src/cli/server.mjs copies project files into ~/.jeeves/project and spawns npx @flue/cli dev on explicit jeeves serve/chat flow.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks.
  • bin/jeeves.js only dispatches explicit CLI subcommands via local imports.
  • src/tools/web.ts sends only user tool inputs plus TAVILY_API_KEY to Tavily endpoints for search/extract.
  • setup/config/schedules write package-owned .env or ~/.jeeves files, with no foreign AI-agent control-surface mutation found.
  • No credential harvesting, stealth persistence, destructive import-time behavior, or remote payload loader found in inspected source.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 15 file(s), 45.2 KB of source, external domains: api.tavily.com, crontab.guru, platform.deepseek.com, tavily.com

Source & flagged code

6 flagged · loading source
src/app.tsView file
8import { readFileSync } from 'fs'; L9: import { spawn } from 'child_process'; L10: import { join } from 'path';
High
Child Process

Package source references child process execution.

src/app.tsView on unpkg · L8
23windowsHide: true, L24: shell: true, L25: });
High
Shell

Package source references shell execution.

src/app.tsView on unpkg · L23
20const MCP_PORT = 8931; L21: const mcpProcess = spawn('npx', ['@playwright/mcp@latest', '--port', String(MCP_PORT), '--headless'], { L22: stdio: 'ignore',
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

src/app.tsView on unpkg · L20
src/cli/schedules.mjsView file
13function getSchedulePath() { L14: return join(homedir(), '.jeeves', 'schedules.yaml'); L15: } ... L34: # L35: # 更多: https://crontab.guru/ L36:
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

src/cli/schedules.mjsView on unpkg · L13
src/cli/server.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = jeeves-agent@1.3.3 matchedIdentity = npm:amVldmVzLWFnZW50:1.3.3 similarity = 0.867 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/cli/server.mjsView on unpkg
76if (running) { L77: console.log(`${C.green}Flue 已在线${C.reset} (http://localhost:${serverPort})`); L78: return serverPort; ... L84: return new Promise((resolve, reject) => { L85: serverProcess = spawn('npx', ['@flue/cli', 'dev'], { L86: cwd: PROJECT_DIR, ... L88: shell: true, L89: env: { ...process.env }, L90: });
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

src/cli/server.mjsView on unpkg · L76

Findings

1 Critical4 High4 Medium4 Low
CriticalPrevious Version Dangerous Deltasrc/cli/server.mjs
HighChild Processsrc/app.ts
HighShellsrc/app.ts
HighSame File Env Network Executionsrc/cli/server.mjs
HighRuntime Package Installsrc/app.ts
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencesrc/cli/schedules.mjs
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings