registry  /  orizu  /  0.5.1

orizu@0.5.1

Orizu is a platform that helps you build continually learning agents and other LLM applications. It does so in a scientific, measurable manner by first helping you build evals and then helping you hill climb on them.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious install-time attack surface. The main risk is first-party, explicit user-command installation of Orizu agent skills and hosted sandbox orchestration.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs orizu setup, orizu install-skill, skills update, hosted session commands, or login/workspace commands.
Impact
Can modify user/project agent guidance and workspace files when invoked; not automatic on npm install.
Mechanism
Explicit CLI writes agent skill files and Orizu workspace/runtime config
Rationale
Source inspection shows explicit first-party CLI functionality that installs Orizu agent skills and manages Orizu credentials/workspaces, but no npm lifecycle hook, import-time execution, stealth persistence, or exfiltration chain. Per policy this is an agent extension lifecycle risk/warn rather than a publish-blocking malicious package.
Evidence
package.jsondist/index.jsdist/skill-installer.jsdist/http.jsdist/hosted-loop.jsdist/hosted-runtime-assets.jsdist/github-setup.jsdist/credentials.jsvendor/skills/orizu-cli/SKILL.md~/.codex/skills/orizu-cli~/.agents/skills/orizu-cli~/.claude/skills/orizu-cli.agents/skills/orizu-cli.codex/skills/orizu-cli.claude/skills/orizu-cliAGENTS.md~/.config/orizu/credentials.json.orizu/setup.sh.orizu/cache/sync/<sha256>.json
Network endpoints6
orizu.ailocalhost:3000127.0.0.1:<callbackPort>github.com/<repo>.gitexample.com/api.anthropic.com

Decision evidence

public snapshot
AI called this Suspicious at 83.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/skill-installer.js writes bundled Orizu skill into ~/.codex, ~/.agents, ~/.claude, project skill dirs, or AGENTS.md.
  • dist/index.js setup command can install global coding-agent skills after login/workspace setup.
  • dist/hosted-loop.js can run npm/bun global install of pinned opencode-ai inside hosted sandbox runtime.
  • dist/github-setup.js configures git credential.helper to !orizu git-credential for hosted workbench clones.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks; only prepack/postpack vendor scripts.
  • Agent skill writes are explicit CLI commands: setup, install-skill, skills update; not import-time or install-time.
  • dist/http.js defaults to https://orizu.ai and refuses token transport except HTTPS or loopback HTTP.
  • dist/hosted-runtime-assets.js credential helper mints package-aligned repo tokens and scopes to expected host/protocol.
  • No source showed credential harvesting or exfiltration to non-Orizu endpoints.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 95 file(s), 1.57 MB of source, external domains: 127.0.0.1, docs.orizu.ai, fonts.googleapis.com, github.com, orizu.ai, preview.example.com, www.w3.org

Source & flagged code

7 flagged · loading source
dist/hosted-runtime-assets.jsView file
209patternName = generic_password severity = medium line = 209 matchedText = process....\n')
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/hosted-runtime-assets.jsView on unpkg · L209
dist/workspace-sync.jsView file
46*/ L47: import { spawnSync } from 'child_process'; L48: import { createHash } from 'crypto';
High
Child Process

Package source references child process execution.

dist/workspace-sync.jsView on unpkg · L46
dist/hosted-harness-claude.jsView file
103const specifier = CLAUDE_AGENT_SDK_SPECIFIER; L104: const mod = (await import(specifier)); L105: if (!mod || typeof mod.query !== 'function') {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/hosted-harness-claude.jsView on unpkg · L103
dist/hosted-loop.jsView file
212function installOpenCodePinned(version) { L213: const command = `bun add -g opencode-ai@${version} >/dev/null 2>&1 || ` + L214: `npm install -g opencode-ai@${version} >/dev/null 2>&1`; L215: const res = spawnSync('bash', ['-c', command], { encoding: 'utf8' }); L216: const ok = (res.status ?? 1) === 0;
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/hosted-loop.jsView on unpkg · L212
vendor/orizu-gepa-python/src/orizu_gepa/runner.pyView file
path = vendor/orizu-gepa-python/src/orizu_gepa/runner.py kind = build_helper sizeBytes = 7381 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

vendor/orizu-gepa-python/src/orizu_gepa/runner.pyView on unpkg
dist/github-setup.jsView file
matchType = previous_version_dangerous_delta matchedPackage = orizu@0.5.0 matchedIdentity = npm:b3JpenU:0.5.0 similarity = 0.979 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/github-setup.jsView on unpkg
src/hosted-runtime-assets.tsView file
265patternName = generic_password severity = medium line = 265 matchedText = process....\n')
Medium
Secret Pattern

Hardcoded password in src/hosted-runtime-assets.ts

src/hosted-runtime-assets.tsView on unpkg · L265

Findings

1 Critical3 High7 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/github-setup.js
HighChild Processdist/workspace-sync.js
HighShell
HighRuntime Package Installdist/hosted-loop.js
MediumSecret Patterndist/hosted-runtime-assets.js
MediumDynamic Requiredist/hosted-harness-claude.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpervendor/orizu-gepa-python/src/orizu_gepa/runner.py
MediumStructural Risk Force Deep Review
MediumSecret Patternsrc/hosted-runtime-assets.ts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License