registry  /  markhub-local-agent  /  0.1.3

markhub-local-agent@0.1.3

MarkHub 로컬 에이전트 데몬 — 유저 컴퓨터의 claude code / codex 로 브라우저 유즈 잡을 실행

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `maki-agent pair`, then `maki-agent run` or `maki-agent install`.
Impact
A paired server can direct read/navigation tasks against sites logged into the dedicated browser profile; generated task results are returned to that server.
Mechanism
Remote-job browser-agent execution with constrained read-only MCP tooling.
Rationale
The package is not malicious by source evidence, but its deliberate remote-job execution against authenticated browser sessions is a meaningful dangerous capability. Explicit commands and layered read-only restrictions reduce risk, while persistence is opt-in rather than install-time.
Evidence
package.jsondist/index.jsdist/api.jsdist/poller.jsdist/service.jsdist/backends/claude.jsdist/backends/codex.jsdist/mcp/readonly-proxy.jsdist/config.js~/.maki-agent/config.json~/.maki-agent/token~/.maki-agent/chrome-profile~/.maki-agent/codex-home~/.maki-agent/codex-work

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `dist/poller.js` claims remote jobs and sends generated results to the paired server.
  • `dist/backends/codex.js` and `dist/backends/claude.js` run agent SDKs using the user's authenticated browser sessions.
  • `dist/service.js` creates persistent login-start services, but only through `maki-agent install`.
  • `dist/mcp/readonly-proxy.js` downloads/starts Playwright MCP through `npx` at runtime.
Evidence against
  • `package.json` has no preinstall, install, or postinstall hook; `prepublishOnly` only builds.
  • `dist/index.js` requires explicit `pair`, `run`, or `install` commands; importing does not start work.
  • `dist/mcp/readonly-proxy.js` code-filters MCP calls to a read/navigation allowlist.
  • `dist/backends/claude.js` denies shell, filesystem, web-fetch/search, and browser mutation tools.
  • `dist/backends/codex.js` uses an isolated work directory and read-only sandbox.
  • No hidden endpoint, credential harvesting, payload execution, or foreign AI-agent config mutation was found.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 13 file(s), 50.7 KB of source, external domains: www.apple.com

Source & flagged code

4 flagged · loading source
dist/service.jsView file
matchType = previous_version_dangerous_delta matchedPackage = markhub-local-agent@0.1.1 matchedIdentity = npm:bWFya2h1Yi1sb2NhbC1hZ2VudA:0.1.1 similarity = 0.455 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/service.jsView on unpkg
12*/ L13: import { execFileSync } from "child_process"; L14: import * as fs from "fs";
High
Child Process

Package source references child process execution.

dist/service.jsView on unpkg · L12
12*/ L13: import { execFileSync } from "child_process"; L14: import * as fs from "fs"; ... L53: function plistPath() { L54: return path.join(os.homedir(), "Library", "LaunchAgents", `${LABEL}.plist`); L55: } ... L82: // 재설치 대비: 기존 등록을 먼저 내리고(bootout) 다시 올린다(bootstrap). 미등록이면 bootout 실패 → 무시. L83: quiet(() => execFileSync("launchctl", ["bootout", `gui/${uid}/${LABEL}`], { stdio: "ignore" })); L84: execFileSync("launchctl", ["bootstrap", `gui/${uid}`, p], { stdio: "ignore" }); ... L126: function startupCmdPath() { L127: const appdata = process.env.APPDATA || path.join(os.homedir(), "AppData", "Roaming"); L128: return path.join(appdata, "Microsoft", "Windows", "Start Menu", "Programs", "Startup", "maki-agent.cmd");
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/service.jsView on unpkg · L12
dist/mcp/readonly-proxy.jsView file
38export function runReadonlyProxy(playwrightArgs) { L39: const child = spawn("npx", playwrightArgs, { stdio: ["pipe", "pipe", "inherit"] }); L40: child.on("exit", (code) => process.exit(code ?? 0));
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/mcp/readonly-proxy.jsView on unpkg · L38

Findings

1 Critical3 High4 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/service.js
HighChild Processdist/service.js
HighShell
HighRuntime Package Installdist/mcp/readonly-proxy.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/service.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License