registry  /  mop-agent  /  1.0.3

mop-agent@1.0.3

Self-hosted AI assistant with persistent memory, agent runtime, scheduler, and multi-channel support. Installed with npx mop-agent.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Authenticated/local user POSTs CLI-tool setup or auto-import routes, or invokes the mop-agent bin installer
Impact
Can route Codex/Claude Desktop through this app, relax Claude Cowork controls, read local IDE tokens, and grant admin-mode file/shell tools after setup
Mechanism
explicit agent config mutation and local self-hosted assistant setup
Rationale
Source inspection supports a warning for explicit user-command AI-agent configuration mutation and powerful local admin tooling, but not a publish block: there is no npm lifecycle mutation, hidden payload, or concrete exfiltration chain. The scanner’s dangerous primitives are largely package-aligned installer/router behavior guarded by local/auth routes.
Evidence
package.jsoninstaller/bootstrap.mjsinstaller/mop-agent.mjsinstaller/lib.mjssrc/dashboardGuard.jssrc/app/api/cli-tools/cowork-settings/route.jssrc/app/api/cli-tools/codex-settings/route.jssrc/app/api/oauth/cursor/auto-import/route.jssrc/app/api/oauth/kiro/auto-import/route.jssrc/lib/agent/tools.jssrc/lib/updater/updater.jsbin/mop-detect-run.mjs/opt/mop-agent%LOCALAPPDATA%/mop-agent~/.codex/config.toml~/.codex/auth.jsonClaude/claude_desktop_config.jsonClaude-3p/configLibrary/*.json
Network endpoints2
localhost:20128/api/mcp/github.com/BURHANDEV-ENTERPRISE/mop-agent#readme

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • src/app/api/cli-tools/cowork-settings/route.js writes Claude/Cowork config and disables signature/approval/egress restrictions on POST
  • src/app/api/cli-tools/codex-settings/route.js writes ~/.codex/config.toml and auth.json to route Codex through 9Router on POST
  • src/app/api/oauth/cursor/auto-import/route.js and kiro/auto-import read local IDE/AWS token stores when requested
  • src/lib/agent/tools.js exposes admin-only full-mode file write and shell command tools
  • installer/bootstrap.mjs stages app to /opt/mop-agent or LOCALAPPDATA and runs npm install plus installer menu when bin is invoked
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle scripts; installer is only bin-invoked via mop-agent/npx
  • installer/bootstrap.mjs refuses broad unsafe Linux destinations and does not copy .env secrets
  • src/dashboardGuard.js marks spawn/host-secret routes local-only and requires CLI token or authenticated local session
  • auto-import endpoints are listed in ALWAYS_PROTECTED and LOCAL_ONLY_PATHS, not public unauthenticated routes
  • network references are aligned with declared assistant/router features and provider validation, not hardcoded exfiltration endpoints
  • No obfuscated payload, native binary, import-time execution, or credential exfiltration path found in inspected files
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 848 file(s), 4.29 MB of source, external domains: 127.0.0.1, 9router.com, abc-tunnel.us, accounts.google.com, agent.api5.cursor.sh, agentn.api5.cursor.sh, ai-gateway.vercel.sh, ai.google.dev, aiplatform.googleapis.com, aistudio.google.com, antigravity.google, api-dashboard.search.brave.com, api-inference.huggingface.co, api.anthropic.com, api.assemblyai.com, api.bfl.ai, api.blackbox.ai, api.botframework.com, api.cartesia.ai, api.cerebras.ai, api.cline.bot, api.cloudflare.com, api.cohere.ai, api.commandcode.ai, api.deepgram.com, api.deepseek.com, api.deno.com, api.dev.runwayml.com, api.elevenlabs.io, api.exa.ai, api.example.com, api.firecrawl.dev, api.fireworks.ai, api.github.com, api.githubcopilot.com, api.groq.com, api.hyperbolic.xyz, api.inworld.ai, api.jina.ai, api.kilo.ai, api.kimi.com, api.linkup.so, api.minimax.io, api.minimaxi.com, api.mistral.ai, api.moonshot.cn, api.nanobananaapi.ai, api.openai.com, api.perplexity.ai, api.play.ht

Source & flagged code

11 flagged · loading source
src/app/api/profile/password/route.jsView file
43patternName = generic_password severity = medium line = 43 matchedText = console....or);
Medium
Secret Pattern

Package contains a possible secret pattern.

src/app/api/profile/password/route.jsView on unpkg · L43
bin/mop-detect-run.mjsView file
13L14: import { spawnSync } from 'node:child_process'; L15: import { fileURLToPath } from 'node:url';
High
Child Process

Package source references child process execution.

bin/mop-detect-run.mjsView on unpkg · L13
42* Returns the npx command appropriate for the current OS. L43: * No cmd.exe wrapper needed on any platform. L44: */
High
Shell

Package source references shell execution.

bin/mop-detect-run.mjsView on unpkg · L42
scripts/injectDisplayToRegistry.mjsView file
22// eslint-disable-next-line no-new-func L23: const getDisplay = new Function("RISK_NOTICE", `${displayBody}; return PROVIDER_DISPLAY;`); L24: const DISPLAY = getDisplay(RISK_NOTICE);
Low
Eval

Package source references a known benign dynamic code generation pattern.

scripts/injectDisplayToRegistry.mjsView on unpkg · L22
open-sse/shared/qoder/cosy.jsView file
43L44: function aesEncryptCbcBase64(plaintext, keyStr) { L45: const keyBytes = Buffer.from(keyStr, "utf8"); ... L113: * @param {string} [creds.machineId] Persisted machine UUID. L114: * @returns {Record<string, string>} Header map ready to merge onto fetch(). L115: */
Low
Weak Crypto

Package source references weak cryptographic algorithms.

open-sse/shared/qoder/cosy.jsView on unpkg · L43
installer/mop-agent.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = mop-agent@1.0.0 matchedIdentity = npm:bW9wLWFnZW50:1.0.0 similarity = 0.967 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

installer/mop-agent.mjsView on unpkg
14*/ L15: import { spawnSync } from "node:child_process"; L16: import { randomBytes } from "node:crypto"; ... L18: import { createInterface } from "node:readline/promises"; L19: import { stdin as input, stdout as output } from "node:process"; L20: import { dirname, resolve, join } from "node:path"; ... L47: const DRY = !!args["dry-run"]; L48: const randomToken = (n) => randomBytes(n).toString("base64url").slice(0, n); L49: const randomHex = (n) => randomBytes(n).toString("hex").slice(0, n); ... L180: console.log(c("green", `\n✓ Setup complete. Start now: `) + c("bold", `node scripts/serve.mjs start`)); L181: console.log(c("gray", ` Open http://localhost:${port} — for HTTPS, put IIS/Caddy/nginx in front as a reverse proxy.\n`)); L182: return;
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

installer/mop-agent.mjsView on unpkg · L14
cli/cli.jsView file
737console.log(`🔔 9Router is running in tray (PID: ${process.pid})`); L738: console.log(` Server: http://${displayHost}:${port}`); L739: console.log(`\n💡 You can close this terminal. Right-click tray icon to quit.\n`); ... L747: L748: const bgProcess = spawn(process.execPath, [__filename, "--tray", "--skip-update", "-p", port.toString()], { L749: detached: true, ... L751: windowsHide: true, L752: env: { ...process.env } L753: });
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

cli/cli.jsView on unpkg · L737
src/lib/updater/updater.jsView file
1// Standalone detached updater process. L2: // Spawns `npm i -g <pkg>@latest`, exposes progress via tiny HTTP server. L3: // Survives after parent Next server exits (detached + unref by spawner). L4: L5: const { spawn } = require("child_process"); L6: const http = require("http");
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

src/lib/updater/updater.jsView on unpkg · L1
src/app/favicon.icoView file
path = src/app/favicon.ico kind = high_entropy_blob sizeBytes = 55053 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

src/app/favicon.icoView on unpkg
package.jsonView file
Runtime dependency names matching Node built-ins: fs
High
Node Builtin Dependency Squat

Package declares a runtime dependency whose name matches a Node built-in module.

package.jsonView on unpkg

Findings

1 Critical6 High5 Medium7 Low
CriticalPrevious Version Dangerous Deltainstaller/mop-agent.mjs
HighChild Processbin/mop-detect-run.mjs
HighShellbin/mop-detect-run.mjs
HighSame File Env Network Executioncli/cli.js
HighRuntime Package Installsrc/lib/updater/updater.js
HighShips High Entropy Blobsrc/app/favicon.ico
HighNode Builtin Dependency Squatpackage.json
MediumSecret Patternsrc/app/api/profile/password/route.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistenceinstaller/mop-agent.mjs
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvalscripts/injectDisplayToRegistry.mjs
LowWeak Cryptoopen-sse/shared/qoder/cosy.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License