registry  /  osai-agent  /  4.2.66

osai-agent@4.2.66

OS AI Agent - YOUR AI AGENT

AI Security Review

scanned 4d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a CLI AI agent with network, shell, file, and SSH capabilities that are declared by its README and activated by explicit CLI/runtime use.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs osai-agent commands such as run, connect, login, devices, or provider.
Impact
User-authorized local/remote command execution and communication with configured LLM/server endpoints; no hidden exfiltration or lifecycle execution confirmed.
Mechanism
Declared AI-agent command execution and SSH management
Rationale
Static source inspection shows a declared terminal AI/sysadmin package with explicit CLI-triggered network, local command, file, and SSH tools, but no lifecycle execution, hidden credential harvesting, persistence, destructive default behavior, or unconsented AI-agent control-surface mutation. Scanner secret/network findings are explained by SSH key validation, encrypted device/provider configuration, and documented server/provider communication.
Evidence
package.jsonREADME.mdsrc/index.jssrc/commands/run.jssrc/commands/login.jssrc/commands/devices.jssrc/commands/connect.jssrc/services/ssh.jssrc/services/crypto.jssrc/tools/local.jssrc/agent/loop/tool-executor.jssrc/safety/check.js
Network endpoints9
wss://OLOJEDE-osai-agent-server.hf.spaceapi.openai.com/v1api.anthropic.comgenerativelanguage.googleapis.comapi.groq.com/openai/v1api.mistral.ai/v1api.deepseek.com/v1api.x.ai/v1openrouter.ai/api/v1

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for block
  • src/tools/local.js exposes user-invoked shell/file tools including spawn, writeFile, appendFile, and deleteFile.
  • src/agent/react-loop.js sends prompts/history and metadata to configured /stream endpoint in server mode.
  • src/services/ssh.js accepts user-provided SSH password/privateKey to connect and run commands.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks; entrypoint is CLI bin src/index.js.
  • README.md documents terminal AI agent, command execution, SSH, provider, and server modes matching observed code.
  • src/agent/loop/tool-executor.js routes tool calls through safety checks and confirmations for write/dangerous actions outside coding mode.
  • src/services/ssh.js validates private key format and uses credentials only for requested SSH connections; no secret harvesting loop found.
  • src/tools/local.js filters environment variables passed to spawned commands and command execution is user/LLM-tool invoked.
  • No code found writing AGENTS.md/.codex/.cursor or performing import/install-time execution.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 89 file(s), 712 KB of source, external domains: agent.osai.dev, api.anthropic.com, api.cerebras.ai, api.cohere.ai, api.deepinfra.com, api.deepseek.com, api.fireworks.ai, api.groq.com, api.hyperbolic.xyz, api.lingyiwanwu.com, api.mistral.ai, api.moonshot.ai, api.novita.ai, api.openai.com, api.perplexity.ai, api.siliconflow.cn, api.studio.nebius.ai, api.together.ai, api.x.ai, codestral.mistral.ai, dashscope.aliyuncs.com, generativelanguage.googleapis.com, html.duckduckgo.com, integrate.api.nvidia.com, models.github.ai, ollama.com, open.bigmodel.cn, openrouter.ai, osaix.vercel.app, qianfan.baidubce.com, router.huggingface.co

Source & flagged code

6 flagged · loading source
src/services/ssh.jsView file
19patternName = private_key_openssh severity = critical line = 19 matchedText = /^-----B...--/,
Critical
Critical Secret

Package contains a critical-looking secret pattern.

src/services/ssh.jsView on unpkg · L19
19patternName = private_key_openssh severity = critical line = 19 matchedText = /^-----B...--/,
Critical
Secret Pattern

OpenSSH private key in src/services/ssh.js

src/services/ssh.jsView on unpkg · L19
20patternName = private_key_rsa severity = critical line = 20 matchedText = /^-----B...--/,
Critical
Secret Pattern

RSA private key in src/services/ssh.js

src/services/ssh.jsView on unpkg · L20
22patternName = private_key_ec severity = critical line = 22 matchedText = /^-----B...--/,
Critical
Secret Pattern

EC private key in src/services/ssh.js

src/services/ssh.jsView on unpkg · L22
src/ui/components/ConfirmationDialog.jsView file
41patternName = generic_password severity = medium line = 41 matchedText = h(Text, ...')),
Medium
Secret Pattern

Hardcoded password in src/ui/components/ConfirmationDialog.js

src/ui/components/ConfirmationDialog.jsView on unpkg · L41
src/agent/loop/tool-executor.jsView file
243patternName = generic_password severity = medium line = 243 matchedText = this.rea...)));
Medium
Secret Pattern

Hardcoded password in src/agent/loop/tool-executor.js

src/agent/loop/tool-executor.jsView on unpkg · L243

Findings

4 Critical4 Medium5 Low
CriticalCritical Secretsrc/services/ssh.js
CriticalSecret Patternsrc/services/ssh.js
CriticalSecret Patternsrc/services/ssh.js
CriticalSecret Patternsrc/services/ssh.js
MediumNetwork
MediumEnvironment Vars
MediumSecret Patternsrc/ui/components/ConfirmationDialog.js
MediumSecret Patternsrc/agent/loop/tool-executor.js
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License