AI Security Review
scanned 4d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a CLI AI agent with network, shell, file, and SSH capabilities that are declared by its README and activated by explicit CLI/runtime use.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs osai-agent commands such as run, connect, login, devices, or provider.
Impact
User-authorized local/remote command execution and communication with configured LLM/server endpoints; no hidden exfiltration or lifecycle execution confirmed.
Mechanism
Declared AI-agent command execution and SSH management
Rationale
Static source inspection shows a declared terminal AI/sysadmin package with explicit CLI-triggered network, local command, file, and SSH tools, but no lifecycle execution, hidden credential harvesting, persistence, destructive default behavior, or unconsented AI-agent control-surface mutation. Scanner secret/network findings are explained by SSH key validation, encrypted device/provider configuration, and documented server/provider communication.
Evidence
package.jsonREADME.mdsrc/index.jssrc/commands/run.jssrc/commands/login.jssrc/commands/devices.jssrc/commands/connect.jssrc/services/ssh.jssrc/services/crypto.jssrc/tools/local.jssrc/agent/loop/tool-executor.jssrc/safety/check.js
Network endpoints9
wss://OLOJEDE-osai-agent-server.hf.spaceapi.openai.com/v1api.anthropic.comgenerativelanguage.googleapis.comapi.groq.com/openai/v1api.mistral.ai/v1api.deepseek.com/v1api.x.ai/v1openrouter.ai/api/v1
Decision evidence
public snapshotAI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for block
- src/tools/local.js exposes user-invoked shell/file tools including spawn, writeFile, appendFile, and deleteFile.
- src/agent/react-loop.js sends prompts/history and metadata to configured /stream endpoint in server mode.
- src/services/ssh.js accepts user-provided SSH password/privateKey to connect and run commands.
Evidence against
- package.json has no install/preinstall/postinstall lifecycle hooks; entrypoint is CLI bin src/index.js.
- README.md documents terminal AI agent, command execution, SSH, provider, and server modes matching observed code.
- src/agent/loop/tool-executor.js routes tool calls through safety checks and confirmations for write/dangerous actions outside coding mode.
- src/services/ssh.js validates private key format and uses credentials only for requested SSH connections; no secret harvesting loop found.
- src/tools/local.js filters environment variables passed to spawned commands and command execution is user/LLM-tool invoked.
- No code found writing AGENTS.md/.codex/.cursor or performing import/install-time execution.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
6 flagged · loading sourcesrc/services/ssh.jsView file
19patternName = private_key_openssh
severity = critical
line = 19
matchedText = /^-----B...--/,
Critical
Critical Secret
Package contains a critical-looking secret pattern.
src/services/ssh.jsView on unpkg · L1919patternName = private_key_openssh
severity = critical
line = 19
matchedText = /^-----B...--/,
Critical
20patternName = private_key_rsa
severity = critical
line = 20
matchedText = /^-----B...--/,
Critical
22patternName = private_key_ec
severity = critical
line = 22
matchedText = /^-----B...--/,
Critical
src/ui/components/ConfirmationDialog.jsView file
41patternName = generic_password
severity = medium
line = 41
matchedText = h(Text, ...')),
Medium
Secret Pattern
Hardcoded password in src/ui/components/ConfirmationDialog.js
src/ui/components/ConfirmationDialog.jsView on unpkg · L41src/agent/loop/tool-executor.jsView file
243patternName = generic_password
severity = medium
line = 243
matchedText = this.rea...)));
Medium
Secret Pattern
Hardcoded password in src/agent/loop/tool-executor.js
src/agent/loop/tool-executor.jsView on unpkg · L243Findings
4 Critical4 Medium5 Low
CriticalCritical Secretsrc/services/ssh.js
CriticalSecret Patternsrc/services/ssh.js
CriticalSecret Patternsrc/services/ssh.js
CriticalSecret Patternsrc/services/ssh.js
MediumNetwork
MediumEnvironment Vars
MediumSecret Patternsrc/ui/components/ConfirmationDialog.js
MediumSecret Patternsrc/agent/loop/tool-executor.js
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License