registry  /  patchwarden  /  1.5.1

patchwarden@1.5.1

Secure local MCP bridge for ChatGPT and local agents, with workspace-scoped task loops, safe summaries, audits, and Direct editing.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The user-invoked tunnel launcher provisions a PatchWarden tunnel profile, loads an explicitly supplied tunnel key, and starts a tunnel client. Task execution can invoke configured local coding agents within a selected workspace.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Explicit execution of `scripts/control/start-patchwarden-tunnel.ps1` or a PatchWarden task-runner command.
Impact
Can connect the local MCP service to a configured tunnel client and run configured local agents; no install-time or stealth activation is present.
Mechanism
User-directed local MCP/tunnel and configured-agent orchestration.
Rationale
Source inspection found no lifecycle execution, exfiltration, remote payload execution, or unconsented foreign control-surface mutation. Because the package ships explicit agent/tunnel setup that can persist package-owned integration state, retain a warning rather than publish-blocking.
Evidence
package.jsondist/index.jsdist/httpServer.jsdist/security/commandGuard.jsdist/runner/runTask.jsscripts/control/start-patchwarden-tunnel.ps1patchwarden.config.jsondist/runner/agentInvocation.js

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `scripts/control/start-patchwarden-tunnel.ps1` explicitly creates/updates a `tunnel-client` profile and starts its executable.
  • The same explicit launcher accepts or prompts for `CONTROL_PLANE_API_KEY` and stores a DPAPI-encrypted local cache.
  • `dist/runner/runTask.js` can spawn locally configured Codex/OpenCode agents for user-created tasks.
Evidence against
  • `package.json` has no `preinstall`, `install`, `postinstall`, or `prepare` lifecycle hook.
  • `dist/index.js` only starts an MCP stdio server after the user invokes its CLI.
  • `dist/runner/agentInvocation.js` uses configured commands and argument-array spawning, not shell evaluation.
  • `dist/security/commandGuard.js` rejects unsafe configured executables and allowlists verification commands.
  • `dist/httpServer.js` and `dist/control/server.js` bind their HTTP services to loopback.
  • No source evidence of credential exfiltration, remote payload download/execution, or foreign AI-agent config mutation.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 259 file(s), 3.03 MB of source, external domains: 127.0.0.1, api.github.com, bugs.chromium.org, bugs.webkit.org, bugzilla.mozilla.org, github.com, registry.npmjs.org, tailwindcss.com, www.w3.org

Source & flagged code

6 flagged · loading source
dist/tools/androidDoctor.jsView file
9*/ L10: import { execSync } from "node:child_process"; L11: import { existsSync, readFileSync, statSync } from "node:fs";
High
Child Process

Package source references child process execution.

dist/tools/androidDoctor.jsView on unpkg · L9
dist/runner/runTask.jsView file
739const shim = /^pnpm/i.test(command) ? "pnpm.cmd" : "npm.cmd"; L740: command = process.env.ComSpec || "cmd.exe"; L741: args = ["/d", "/s", "/c", shim, ...args];
High
Shell

Package source references shell execution.

dist/runner/runTask.jsView on unpkg · L739
scripts/checks/control-center-smoke.jsView file
1442L1443: child = spawn("node", [serverPath], { L1444: cwd: projectRoot, L1445: env: { L1446: ...process.env, L1447: PATCHWARDEN_CONTROL_PORT: String(TEST_PORT), ... L1453: // is exactly the fault-tolerance path we want to exercise. L1454: PATCHWARDEN_CORE_URL: "http://127.0.0.1:18080", L1455: PATCHWARDEN_DIRECT_URL: "http://127.0.0.1:18081",
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

scripts/checks/control-center-smoke.jsView on unpkg · L1442
14Cross-file remote execution chain: scripts/checks/control-center-smoke.js spawns ui/vendor/tailwindcss-browser.js; helper contains network access plus dynamic code execution. L14: L15: import { spawn, execSync } from "node:child_process"; L16: import http from "node:http"; L17: import { existsSync, mkdirSync, readdirSync, readFileSync, rmSync, statSync } from "node:fs"; ... L20: L21: const __dirname = dirname(fileURLToPath(import.meta.url)); L22: const projectRoot = join(__dirname, "..", ".."); ... L40: let childExitInfo = null; L41: let childStderr = ""; L42: let childStdout = ""; ... L128: res.on("data", (chunk) => (data += chunk)); L129: res.on("end", () => resolve({ status: res.statusCode, headers: res.headers, body: data }));
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

scripts/checks/control-center-smoke.jsView on unpkg · L14
PatchWarden-Desktop.cmdView file
path = PatchWarden-Desktop.cmd kind = build_helper sizeBytes = 194 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

PatchWarden-Desktop.cmdView on unpkg
dist/doctor.jsView file
matchType = previous_version_dangerous_delta matchedPackage = patchwarden@1.1.0 matchedIdentity = npm:cGF0Y2h3YXJkZW4:1.1.0 similarity = 0.408 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/doctor.jsView on unpkg

Findings

1 Critical4 High4 Medium4 Low
CriticalPrevious Version Dangerous Deltadist/doctor.js
HighChild Processdist/tools/androidDoctor.js
HighShelldist/runner/runTask.js
HighSame File Env Network Executionscripts/checks/control-center-smoke.js
HighCross File Remote Execution Contextscripts/checks/control-center-smoke.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build HelperPatchWarden-Desktop.cmd
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings