registry  /  omniagent  /  0.1.16

omniagent@0.1.16

Unified agent configuration CLI that compiles canonical agent configs to multiple runtimes.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
Explicit `omniagent sync` or `omniagent usage` invocation
Impact
A user-selected project template can run with the invoking user's permissions and write managed agent files.
Mechanism
Agent-config synchronization plus execution of user-supplied template script blocks
Rationale
No concrete malicious chain is present, but explicit shell/Node template execution and AI-agent configuration mutation are risky capabilities. Treat as a warning rather than a block because activation depends on user commands and supplied content.
Evidence
package.jsondist/cli.jsdist/claude-CcxRb8OW.jsdist/codex-DhlBosXm.jsagents/skills/hello-world/SKILL.mdagents/skills/pr-prep/SKILL.mdagents/**{repoRoot}/.claude/**{repoRoot}/.codex/**{homeDir}/.omniagent/state/**{homeDir}/.claude/.credentials.json{homeDir}/.codex/auth.json
Network endpoints2
api.anthropic.com/v1/messageschatgpt.com/backend-api/wham/usage

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `dist/cli.js` executes `<nodejs>` template blocks with `new AsyncFunction`.
  • `dist/cli.js` executes `<shell>` template blocks through a system shell.
  • `omniagent sync` explicitly writes/removes managed files for Claude, Codex, Copilot, and Antigravity targets.
  • `usage` reads Claude/Codex credentials only to call their respective usage endpoints.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall` hook.
  • No shipped `agents/**` template contains executable script tags.
  • Only observed network endpoints are Anthropic and ChatGPT usage APIs.
  • No remote payload download, stealth persistence, credential exfiltration endpoint, or destructive install-time behavior found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 6 file(s), 486 KB of source, external domains: api.anthropic.com, chatgpt.com, github.com, raw.githubusercontent.com

Source & flagged code

2 flagged · loading source
dist/cli.jsView file
Published source reference
Medium
Ai Review Evidence

`dist/cli.js` executes `<nodejs>` template blocks with `new AsyncFunction`.

dist/cli.jsView on unpkg
Published source reference
Medium
Ai Review Evidence

`dist/cli.js` executes `<shell>` template blocks through a system shell.

dist/cli.jsView on unpkg

Findings

6 Medium5 Low
MediumNetwork
MediumEnvironment Vars
MediumAi Review Evidencedist/cli.js
MediumAi Review Evidencedist/cli.js
MediumAi Review Evidence
MediumAi Review Evidence
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings