registry  /  osai-agent  /  4.2.64

osai-agent@4.2.64

OS AI Agent - YOUR AI AGENT

AI Security Review

scanned 4d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The package is a powerful AI/sysadmin CLI with command, file, SSH, and network capabilities, but these are package-aligned and activated by explicit user CLI sessions.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Explicit osai-agent run/connect/login/register/devices/provider commands
Impact
User-authorized local/remote command execution, file edits, SSH commands, and provider/server API calls
Mechanism
User-invoked AI agent and SSH management toolchain
Rationale
Static inspection confirms dangerous primitives, but they are consistent with the advertised AI sysadmin/coding/SSH agent and require explicit user invocation; no install-time execution, hidden credential harvesting, persistence, destructive payload, or control-surface mutation was found. Scanner secret and dangerous-delta hints are explained by SSH private-key validation and normal agent tool capabilities.
Evidence
package.jsonsrc/index.jssrc/agent/react-loop.jssrc/agent/loop/tool-executor.jssrc/tools/local.jssrc/services/ssh.jssrc/services/server-url.jsREADME.md
Network endpoints5
wss://OLOJEDE-osai-agent-server.hf.spaceapi.openai.com/v1api.anthropic.comgenerativelanguage.googleapis.comlocalhost:11434/v1

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • src/agent/react-loop.js implements an AI-agent loop that can dispatch local command, file, SSH, browser, and web-search tools.
  • src/tools/local.js contains shell execution and file write/delete primitives reachable during explicit agent sessions.
  • src/agent/react-loop.js posts prompts/history and metadata to configured server /stream in non-local mode.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks; activation is via explicit CLI commands.
  • src/index.js is a CLI dispatcher with no hidden import-time payload beyond update-notifier.
  • src/services/ssh.js uses user/device-supplied SSH credentials for ssh2 connections; no hardcoded secret or exfiltration sink found.
  • README.md advertises command execution, file operations, SSH/network management, provider configuration, and local/server modes.
  • src/agent/loop/tool-executor.js applies confirmation gates for non-coding write/dangerous actions and makes subagents read-only.
  • find/rg inspection found no hidden dotfile payloads, obfuscation, AGENTS/Codex control-surface writes, or reviewer prompt injection.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 89 file(s), 712 KB of source, external domains: agent.osai.dev, api.anthropic.com, api.cerebras.ai, api.cohere.ai, api.deepinfra.com, api.deepseek.com, api.fireworks.ai, api.groq.com, api.hyperbolic.xyz, api.lingyiwanwu.com, api.mistral.ai, api.moonshot.ai, api.novita.ai, api.openai.com, api.perplexity.ai, api.siliconflow.cn, api.studio.nebius.ai, api.together.ai, api.x.ai, codestral.mistral.ai, dashscope.aliyuncs.com, generativelanguage.googleapis.com, html.duckduckgo.com, integrate.api.nvidia.com, models.github.ai, ollama.com, open.bigmodel.cn, openrouter.ai, osaix.vercel.app, qianfan.baidubce.com, router.huggingface.co

Source & flagged code

7 flagged · loading source
src/services/ssh.jsView file
19patternName = private_key_openssh severity = critical line = 19 matchedText = /^-----B...--/,
Critical
Critical Secret

Package contains a critical-looking secret pattern.

src/services/ssh.jsView on unpkg · L19
19patternName = private_key_openssh severity = critical line = 19 matchedText = /^-----B...--/,
Critical
Secret Pattern

OpenSSH private key in src/services/ssh.js

src/services/ssh.jsView on unpkg · L19
20patternName = private_key_rsa severity = critical line = 20 matchedText = /^-----B...--/,
Critical
Secret Pattern

RSA private key in src/services/ssh.js

src/services/ssh.jsView on unpkg · L20
22patternName = private_key_ec severity = critical line = 22 matchedText = /^-----B...--/,
Critical
Secret Pattern

EC private key in src/services/ssh.js

src/services/ssh.jsView on unpkg · L22
src/agent/react-loop.jsView file
matchType = previous_version_dangerous_delta matchedPackage = osai-agent@4.2.63 matchedIdentity = npm:b3NhaS1hZ2VudA:4.2.63 similarity = 0.989 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

src/agent/react-loop.jsView on unpkg
src/ui/components/ConfirmationDialog.jsView file
41patternName = generic_password severity = medium line = 41 matchedText = h(Text, ...')),
Medium
Secret Pattern

Hardcoded password in src/ui/components/ConfirmationDialog.js

src/ui/components/ConfirmationDialog.jsView on unpkg · L41
src/agent/loop/tool-executor.jsView file
243patternName = generic_password severity = medium line = 243 matchedText = this.rea...)));
Medium
Secret Pattern

Hardcoded password in src/agent/loop/tool-executor.js

src/agent/loop/tool-executor.jsView on unpkg · L243

Findings

5 Critical4 Medium5 Low
CriticalCritical Secretsrc/services/ssh.js
CriticalPrevious Version Dangerous Deltasrc/agent/react-loop.js
CriticalSecret Patternsrc/services/ssh.js
CriticalSecret Patternsrc/services/ssh.js
CriticalSecret Patternsrc/services/ssh.js
MediumNetwork
MediumEnvironment Vars
MediumSecret Patternsrc/ui/components/ConfirmationDialog.js
MediumSecret Patternsrc/agent/loop/tool-executor.js
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License