registry  /  osai-agent  /  4.2.72

osai-agent@4.2.72

OS AI Agent - YOUR AI AGENT

AI Security Review

scanned 17h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs osai-agent commands such as run, connect, mcp, or skills.
Impact
Potential file/system/SSH changes during agent sessions, subject to mode and confirmation controls.
Mechanism
LLM-driven local/SSH/MCP tool execution with user/configured providers and package server.
Policy narrative
No concrete attack chain was confirmed. The package exposes powerful agent functionality only when the user runs the CLI: it can send task context to a configured server or local provider, receive tool calls, execute local/SSH/MCP actions, and store first-party state under osai-agent paths. There is no lifecycle delivery, foreign agent control-surface mutation, credential harvesting beyond user-configured auth, or hidden persistence found in inspected source.
Rationale
The package is not malicious by the firewall's block criteria because dangerous behavior is user-invoked and package-aligned, with no install hook or foreign AI-agent hijack. It should be warned as a dangerous AI-agent capability surface rather than blocked.
Evidence
package.jsonsrc/index.jssrc/agent/react-loop.jssrc/tools/local.jssrc/safety/check.jssrc/agent/loop/tool-executor.jssrc/services/ssh.jssrc/commands/mcp.jssrc/tools/mcp-client.jssrc/skills/loader.jssrc/services/server-url.jssrc/llm/direct.js~/.osai-agent/skills./.osai-agent/skills~/.osai-agent/todos~/.osai-agent/memory~/.osai-agent/sessions
Network endpoints10
wss://OLOJEDE-osai-agent-server.hf.spaceOLOJEDE-osai-agent-server.hf.spaceapi.openai.com/v1api.anthropic.comgenerativelanguage.googleapis.comapi.groq.com/openai/v1api.mistral.ai/v1api.deepseek.com/v1openrouter.ai/api/v1localhost:11434/v1

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • src/agent/react-loop.js sends prompts/history/cwd/meta to configured server /stream and receives tool calls.
  • src/tools/local.js exposes LOCAL_CMD, file write/edit/delete, fetch/search, and script execution tools for agent use.
  • src/services/ssh.js accepts user/device SSH credentials and executes SSH commands on selected hosts.
  • src/commands/mcp.js and src/tools/mcp-client.js let users register stdio/http MCP servers and call their tools.
  • src/skills/loader.js can create/load first-party skills under ~/.osai-agent/skills or ./.osai-agent/skills.
Evidence against
  • package.json has no npm lifecycle hooks, install scripts, or postinstall execution.
  • Entrypoint src/index.js is a user-invoked CLI dispatcher, not import-time malware.
  • No evidence of writes to foreign AI-agent surfaces such as CLAUDE.md, Codex/Cursor settings, or .mcp.json.
  • SSH private key pattern in src/services/ssh.js is validation of user-supplied credentials, not an embedded secret.
  • Local command execution filters environment variables and applies safety/confirmation checks in src/safety/check.js and tool-executor.js.
  • Network endpoints are package-aligned AI/provider/auth/search endpoints, with no hidden exfiltration path found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 89 file(s), 716 KB of source, external domains: agent.osai.dev, api.anthropic.com, api.cerebras.ai, api.cohere.ai, api.deepinfra.com, api.deepseek.com, api.fireworks.ai, api.groq.com, api.hyperbolic.xyz, api.lingyiwanwu.com, api.mistral.ai, api.moonshot.ai, api.novita.ai, api.openai.com, api.perplexity.ai, api.siliconflow.cn, api.studio.nebius.ai, api.together.ai, api.x.ai, codestral.mistral.ai, dashscope.aliyuncs.com, generativelanguage.googleapis.com, html.duckduckgo.com, integrate.api.nvidia.com, models.github.ai, ollama.com, open.bigmodel.cn, openrouter.ai, osaix.vercel.app, qianfan.baidubce.com, router.huggingface.co

Source & flagged code

7 flagged · loading source
src/services/ssh.jsView file
19patternName = private_key_openssh severity = critical line = 19 matchedText = /^-----B...--/,
Critical
Critical Secret

Package contains a critical-looking secret pattern.

src/services/ssh.jsView on unpkg · L19
19patternName = private_key_openssh severity = critical line = 19 matchedText = /^-----B...--/,
Critical
Secret Pattern

OpenSSH private key in src/services/ssh.js

src/services/ssh.jsView on unpkg · L19
20patternName = private_key_rsa severity = critical line = 20 matchedText = /^-----B...--/,
Critical
Secret Pattern

RSA private key in src/services/ssh.js

src/services/ssh.jsView on unpkg · L20
22patternName = private_key_ec severity = critical line = 22 matchedText = /^-----B...--/,
Critical
Secret Pattern

EC private key in src/services/ssh.js

src/services/ssh.jsView on unpkg · L22
src/agent/react-loop.jsView file
matchType = previous_version_dangerous_delta matchedPackage = osai-agent@4.2.68 matchedIdentity = npm:b3NhaS1hZ2VudA:4.2.68 similarity = 0.921 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/agent/react-loop.jsView on unpkg
src/ui/components/ConfirmationDialog.jsView file
41patternName = generic_password severity = medium line = 41 matchedText = h(Text, ...')),
Medium
Secret Pattern

Hardcoded password in src/ui/components/ConfirmationDialog.js

src/ui/components/ConfirmationDialog.jsView on unpkg · L41
src/agent/loop/tool-executor.jsView file
243patternName = generic_password severity = medium line = 243 matchedText = this.rea...)));
Medium
Secret Pattern

Hardcoded password in src/agent/loop/tool-executor.js

src/agent/loop/tool-executor.jsView on unpkg · L243

Findings

4 Critical1 High4 Medium5 Low
CriticalCritical Secretsrc/services/ssh.js
CriticalSecret Patternsrc/services/ssh.js
CriticalSecret Patternsrc/services/ssh.js
CriticalSecret Patternsrc/services/ssh.js
HighPrevious Version Dangerous Deltasrc/agent/react-loop.js
MediumNetwork
MediumEnvironment Vars
MediumSecret Patternsrc/ui/components/ConfirmationDialog.js
MediumSecret Patternsrc/agent/loop/tool-executor.js
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License