AI Security Review
scanned 4d ago · by lpm-firewall-aiThis is a user-invoked AI/sysadmin CLI with expected remote server, LLM, SSH, shell, and file-operation capabilities. The risky primitives are visible product functionality rather than hidden package attack behavior.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs osai-agent commands such as run, connect, devices add, or provider configuration.
Impact
Can modify local files or run commands only during user-driven agent sessions; no confirmed malicious behavior.
Mechanism
interactive AI agent tool execution with confirmation gates and configured network services
Rationale
Static inspection shows a CLI AI agent with powerful but explicit user-invoked capabilities and no lifecycle hook, import-time payload, credential harvesting, or hidden exfiltration. The scanner secret finding is SSH private-key validation text in src/services/ssh.js, not an embedded secret.
Evidence
package.jsonsrc/index.jssrc/services/ssh.jssrc/services/server-url.jssrc/tools/local.jssrc/services/executor.jssrc/commands/devices.jssrc/safety/check.jssrc/agent/loop/tool-executor.jssrc/llm/direct.jsConf project storage for osai-agent~/.osai-agent/todos/*.json
Network endpoints12
wss://OLOJEDE-osai-agent-server.hf.spaceapi.anthropic.com/v1/modelsapi.anthropic.com/v1/messagesgenerativelanguage.googleapis.com/v1beta/modelsapi.openai.com/v1api.groq.com/openai/v1api.mistral.ai/v1api.deepseek.com/v1api.x.ai/v1api.cohere.ai/compatibility/v1api.perplexity.aiapi.together.ai/v1
Decision evidence
public snapshotAI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
- src/tools/local.js exposes shell and file-write/delete tools to the AI agent at user runtime.
- src/commands/devices.js can upload encrypted device credentials to the configured server when user runs devices add.
Evidence against
- package.json has no preinstall/postinstall/prepare lifecycle scripts.
- src/index.js only dispatches explicit CLI commands; no hidden install-time execution found.
- src/services/ssh.js validates user-supplied SSH keys and uses them only for ssh2 connections.
- src/safety/check.js classifies write/dangerous commands and src/agent/loop/tool-executor.js prompts unless coding/noConfirm modes apply.
- Network calls are package-aligned: auth/device/provider/agent server, LLM APIs, search providers, SSH/WebSocket features.
- No credential harvesting, persistence, destructive startup behavior, or reviewer/prompt manipulation found.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
6 flagged · loading sourcesrc/services/ssh.jsView file
19patternName = private_key_openssh
severity = critical
line = 19
matchedText = /^-----B...--/,
Critical
Critical Secret
Package contains a critical-looking secret pattern.
src/services/ssh.jsView on unpkg · L1919patternName = private_key_openssh
severity = critical
line = 19
matchedText = /^-----B...--/,
Critical
20patternName = private_key_rsa
severity = critical
line = 20
matchedText = /^-----B...--/,
Critical
22patternName = private_key_ec
severity = critical
line = 22
matchedText = /^-----B...--/,
Critical
src/ui/components/ConfirmationDialog.jsView file
41patternName = generic_password
severity = medium
line = 41
matchedText = h(Text, ...')),
Medium
Secret Pattern
Hardcoded password in src/ui/components/ConfirmationDialog.js
src/ui/components/ConfirmationDialog.jsView on unpkg · L41src/agent/loop/tool-executor.jsView file
243patternName = generic_password
severity = medium
line = 243
matchedText = this.rea...)));
Medium
Secret Pattern
Hardcoded password in src/agent/loop/tool-executor.js
src/agent/loop/tool-executor.jsView on unpkg · L243Findings
4 Critical4 Medium5 Low
CriticalCritical Secretsrc/services/ssh.js
CriticalSecret Patternsrc/services/ssh.js
CriticalSecret Patternsrc/services/ssh.js
CriticalSecret Patternsrc/services/ssh.js
MediumNetwork
MediumEnvironment Vars
MediumSecret Patternsrc/ui/components/ConfirmationDialog.js
MediumSecret Patternsrc/agent/loop/tool-executor.js
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License