registry  /  osai-agent  /  4.2.67

osai-agent@4.2.67

OS AI Agent - YOUR AI AGENT

AI Security Review

scanned 1d ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs osai-agent run/connect/mcp/skills or an authenticated interactive agent session invokes tools.
Impact
Could modify files, run commands, connect to configured servers, or operate over SSH when used; no hidden exfiltration or lifecycle hijack was confirmed.
Mechanism
runtime AI-agent capability surface with shell/file/SSH/MCP tools
Policy narrative
The package provides an AI agent CLI that can execute local commands, edit/delete files, manage skills, call MCP tools, and connect over SSH after runtime invocation. These are dangerous dual-use capabilities, but source inspection did not show npm lifecycle execution, hidden persistence, credential harvesting, broad foreign AI-agent control-surface mutation, or hardcoded malicious payload delivery.
Rationale
Static source inspection supports a warn-level dangerous capability verdict rather than a block: the risky primitives are core to the advertised AI/sysadmin agent and are runtime/user-invoked, with no lifecycle hijack or concrete exfiltration path found. Because the tool can run shell/file/SSH/MCP actions under model control, it should not be marked clean.
Evidence
package.jsonsrc/index.jssrc/tools/local.jssrc/agent/loop/tool-executor.jssrc/safety/check.jssrc/services/ssh.jssrc/services/session.jssrc/services/server-url.jssrc/skills/loader.jssrc/tools/mcp-client.js~/.osai-agent/sessions~/.osai-agent/todos~/.osai-agent/skills./.osai-agent/skills
Network endpoints4
wss://OLOJEDE-osai-agent-server.hf.spaceagent.osai.devosaix.vercel.applocalhost:11434/v1

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • src/tools/local.js exposes LOCAL_CMD via /bin/sh plus file write/edit/delete and script execution tools for the interactive agent.
  • src/agent/loop/tool-executor.js dispatches MCP_TOOL, SSH_CMD, WRITE_FILE, DELETE_FILE, RUN_SCRIPT and LOCAL_CMD from model/tool calls.
  • src/skills/loader.js can create/load SKILL.md under ~/.osai-agent/skills or project .osai-agent/skills.
  • src/services/session.js can save conversation history locally under ~/.osai-agent/sessions and to configured cloud endpoints.
  • src/services/server-url.js defaults to wss://OLOJEDE-osai-agent-server.hf.space; runtime commands also use user/configured server URLs.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks.
  • src/index.js only routes explicit CLI commands; no import-time hidden execution beyond update-notifier.
  • No evidence of unconsented writes to foreign AI-agent surfaces such as CLAUDE.md, .mcp.json, Codex, Cursor, or Claude settings.
  • SSH private key strings in src/services/ssh.js are validation patterns and user-supplied auth handling, not embedded secrets.
  • Local command execution filters environment variables and uses confirmation/PLAN controls in src/agent/loop/tool-executor.js and src/safety/check.js.
  • MCP servers are loaded from osai-agent configuration and connected at runtime, not planted during install.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 89 file(s), 713 KB of source, external domains: agent.osai.dev, api.anthropic.com, api.cerebras.ai, api.cohere.ai, api.deepinfra.com, api.deepseek.com, api.fireworks.ai, api.groq.com, api.hyperbolic.xyz, api.lingyiwanwu.com, api.mistral.ai, api.moonshot.ai, api.novita.ai, api.openai.com, api.perplexity.ai, api.siliconflow.cn, api.studio.nebius.ai, api.together.ai, api.x.ai, codestral.mistral.ai, dashscope.aliyuncs.com, generativelanguage.googleapis.com, html.duckduckgo.com, integrate.api.nvidia.com, models.github.ai, ollama.com, open.bigmodel.cn, openrouter.ai, osaix.vercel.app, qianfan.baidubce.com, router.huggingface.co

Source & flagged code

6 flagged · loading source
src/services/ssh.jsView file
19patternName = private_key_openssh severity = critical line = 19 matchedText = /^-----B...--/,
Critical
Critical Secret

Package contains a critical-looking secret pattern.

src/services/ssh.jsView on unpkg · L19
19patternName = private_key_openssh severity = critical line = 19 matchedText = /^-----B...--/,
Critical
Secret Pattern

OpenSSH private key in src/services/ssh.js

src/services/ssh.jsView on unpkg · L19
20patternName = private_key_rsa severity = critical line = 20 matchedText = /^-----B...--/,
Critical
Secret Pattern

RSA private key in src/services/ssh.js

src/services/ssh.jsView on unpkg · L20
22patternName = private_key_ec severity = critical line = 22 matchedText = /^-----B...--/,
Critical
Secret Pattern

EC private key in src/services/ssh.js

src/services/ssh.jsView on unpkg · L22
src/ui/components/ConfirmationDialog.jsView file
41patternName = generic_password severity = medium line = 41 matchedText = h(Text, ...')),
Medium
Secret Pattern

Hardcoded password in src/ui/components/ConfirmationDialog.js

src/ui/components/ConfirmationDialog.jsView on unpkg · L41
src/agent/loop/tool-executor.jsView file
243patternName = generic_password severity = medium line = 243 matchedText = this.rea...)));
Medium
Secret Pattern

Hardcoded password in src/agent/loop/tool-executor.js

src/agent/loop/tool-executor.jsView on unpkg · L243

Findings

4 Critical4 Medium5 Low
CriticalCritical Secretsrc/services/ssh.js
CriticalSecret Patternsrc/services/ssh.js
CriticalSecret Patternsrc/services/ssh.js
CriticalSecret Patternsrc/services/ssh.js
MediumNetwork
MediumEnvironment Vars
MediumSecret Patternsrc/ui/components/ConfirmationDialog.js
MediumSecret Patternsrc/agent/loop/tool-executor.js
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License