registry  /  patchwork-os  /  0.2.0-beta.13

patchwork-os@0.2.0-beta.13

Your personal AI runtime, local-first. Patchwork OS gives any AI model a consistent set of tools, YAML recipes, a delegation policy with approval queue, and a durable trace memory — all on your machine, all under your policy.

AI Security Review

scanned 15d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The package is a local-first AI/IDE bridge CLI with expected subprocess, local file, connector, and optional telemetry capabilities gated by user commands or configuration.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall; runtime behavior requires invoking the CLI or configured tools
Impact
No evidence of credential harvesting, stealth exfiltration, persistence, destructive behavior, or unconsented AI-agent control-surface mutation
Mechanism
user-invoked local bridge, connector, plugin, and automation tooling
Rationale
Static inspection found powerful but package-aligned AI bridge capabilities, with install-time behavior limited to local executable/link setup. Suspicious scanner hits map to documented user-invoked CLI/connectors/plugins and include visible mitigations rather than concrete malicious behavior.
Evidence
package.jsonscripts/postinstall.mjsscripts/start-all.mjsdist/index.jsdist/pluginLoader.jsdist/connectors/confluence.jsdist/connectors/tokenStorage.jsdist/analyticsSend.jsdist/analyticsPrefs.jsnode_modules/.bin/rgCLAUDE.md.claude/rules/bridge-tools.md~/.claude/ide/analytics.json~/.patchwork/tokens
Network endpoints5
open-vsx.org/api/oolab-labs/claude-ide-bridge-extensionntfy.shanalytics.claude-ide-bridge.dev/v1/usageapi.openai.com/v1/chat/completionsapi.anthropic.com/v1/messages

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • package.json defines postinstall/prepare/prepublishOnly lifecycle scripts
  • scripts/postinstall.mjs chmods dist/index.js and links @vscode/ripgrep into node_modules/.bin
  • dist/index.js is a CLI with user-invoked writes to CLAUDE.md and .claude/rules/bridge-tools.md
  • dist/pluginLoader.js can dynamically import explicitly configured plugins
Evidence against
  • scripts/postinstall.mjs only performs local binary setup; no network unless an unpacked dashboard directory is present and missing node_modules
  • dist/index.js network calls are documented CLI features: Open VSX extension download, localhost bridge health, connectors, telemetry
  • dist/pluginLoader.js requires explicit plugin specs and validates manifest, entrypoint containment, prefixes, and collisions
  • dist/connectors/confluence.js blocks caller-controlled non-Atlassian URLs, including metadata endpoint SSRF
  • dist/connectors/tokenStorage.js stores user connector tokens locally via keychain/DPAPI/encrypted file, not exfiltration
  • dist/analyticsPrefs.js defaults telemetry preferences to false; analyticsSend.js only sends usage summaries when enabled
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 490 file(s), 5.33 MB of source, external domains: 127.0.0.1, 169.254.169.254, abc.ngrok-free.app, accounts.google.com, airtable.com, analytics.claude-ide-bridge.dev, api.airtable.com, api.alternative.me, api.anthropic.com, api.binance.com, api.cal.com, api.cloudflare.com, api.coingecko.com, api.figma.com, api.github.com, api.githubcopilot.com, api.hubapi.com, api.intercom.io, api.monday.com, api.notion.com, api.openai.com, api.pagerduty.com, api.paystack.co, api.resend.com, api.sendgrid.com, api.stripe.com, api.todoist.com, api.twilio.com, api.vercel.com, api.webflow.com, api.x.ai, app.asana.com, auth.monday.com, circleci.com, claude.ai, claude.com, cli.github.com, discord.com, docs.google.com, docs.googleapis.com, fapi.binance.com, generativelanguage.googleapis.com, git-scm.com, github.com, gitlab.com, gmail.googleapis.com, json-schema.org, mcp.linear.app, mcp.sentry.dev, my-org.sentry.io

Source & flagged code

13 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.mjs || true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs || true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/commands/patchworkInit.jsView file
75patternName = generic_password severity = medium line = 75 matchedText = return {...e };
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/commands/patchworkInit.jsView on unpkg · L75
dist/installGuard.jsView file
1import { spawnSync } from "node:child_process"; L2: import { lstatSync, realpathSync } from "node:fs";
High
Child Process

Package source references child process execution.

dist/installGuard.jsView on unpkg · L1
dist/connectors/tokenStorage.jsView file
5* - macOS: Keychain (security command) L6: * - Windows: DPAPI (data protection API via PowerShell) L7: * - Linux: Secret Service API (via secret-tool or libsecret)
High
Shell

Package source references shell execution.

dist/connectors/tokenStorage.jsView on unpkg · L5
dist/pluginLoader.jsView file
143// npm package — find the package.json via require.resolve, then take its directory L144: const req = createRequire(path.join(process.cwd(), "noop.js")); L145: const pkgJsonPath = req.resolve(`${spec}/package.json`);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/pluginLoader.jsView on unpkg · L143
dist/connectors/vercel.jsView file
20import { deleteSecretJsonSync, getSecretJsonSync, storeSecretJsonSync, } from "./tokenStorage.js"; L21: const BASE_URL = "https://api.vercel.com"; L22: export class VercelConnector extends BaseConnector { ... L58: throw res; L59: return res.json(); L60: }); ... L203: }, L204: body: JSON.stringify(body), L205: }); ... L325: export function loadTokens() { L326: const envToken = process.env.VERCEL_ACCESS_TOKEN; L327: if (envToken) {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/connectors/vercel.jsView on unpkg · L20
dist/index.jsView file
3073// Node's execFileSync can't launch without a shell. See bridgeProcess.ts. L3074: execFileSync(editor, ["--install-extension", extensionArg2], { L3075: stdio: "pipe", ... L3078: }); L3079: process.stderr.write(` ✓ Extension installed via ${editor}\n\n`); L3080: } L3081: catch { L3082: process.stderr.write(` [warn] Extension install failed — download manually from:\n https://open-vsx.org/extension/${OPEN_VSX_PUBLISHER}/${OPEN_VSX_NAME}\n\n`); L3083: }
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.jsView on unpkg · L3073
20const m = /^([A-Z_][A-Z0-9_]*)=(.*)$/.exec(trimmed); L21: if (m?.[1] && !process.env[m[1]]) { L22: let raw = m[2] ?? ""; ... L46: } L47: import { execFileSync, spawn, spawnSync } from "node:child_process"; L48: import crypto from "node:crypto"; ... L63: import { writeFileAtomicSync } from "./writeFileAtomic.js"; L64: const __dirnameTop = path.dirname(fileURLToPath(import.meta.url)); L65: // Warn when a symlinked global install is detected (`npm install -g .`). L66: // launchctl / sandbox environments can fail through that link with EPERM. L67: // Warn only — do not crash interactive or dev flows. ... L70: if (_symlinkInfo) {
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/index.jsView on unpkg · L20
scripts/start-all.mjsView file
480PATCHWORK_BRIDGE_PORT: String(bridgePort), L481: ...(process.env.DASHBOARD_PASSWORD L482: ? { DASHBOARD_PASSWORD: process.env.DASHBOARD_PASSWORD } ... L488: L489: log("dashboard", `Starting on http://localhost:${DASHBOARD_PORT}`); L490: spawnProc( L491: "dashboard", L492: IS_WIN ? "cmd.exe" : "npx", L493: IS_WIN
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

scripts/start-all.mjsView on unpkg · L480
dist/tools/clipboard.jsView file
1import { execFile } from "node:child_process"; L2: import { promisify } from "node:util"; ... L28: try { L29: if (process.platform === "darwin") { L30: const { stdout } = await execFileAsync("pbpaste"); L31: return truncateToBytes(stdout, MAX_CLIPBOARD_BYTES); ... L70: const proc = execFile("pbcopy", (err) => err ? reject(err) : resolve()); L71: proc.stdin?.end(text); L72: }); ... L110: inputSchema: { L111: $schema: "http://json-schema.org/draft-07/schema#", L112: type: "object",
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/tools/clipboard.jsView on unpkg · L1
dist/connectors/confluence.jsView file
18* dashboard hands to `handleConfluenceConnect`. Without this, an L19: * authenticated caller could submit `http://169.254.169.254/...` or L20: * `http://127.0.0.1/admin` and the bridge would POST Basic auth credentials ... L61: throw new Error(`HTTP ${res.status}`); L62: return res.json(); L63: }); ... L178: title: params.title, L179: body: { L180: representation: "storage", ... L260: export function loadTokens() { L261: const envToken = process.env.CONFLUENCE_API_TOKEN; L262: const envUrl = process.env.CONFLUENCE_INSTANCE_URL;
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist/connectors/confluence.jsView on unpkg · L18
scripts/start-remote.shView file
path = scripts/start-remote.sh kind = build_helper sizeBytes = 3811 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/start-remote.shView on unpkg

Findings

7 High8 Medium6 Low
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/installGuard.js
HighShelldist/connectors/tokenStorage.js
HighSame File Env Network Executionscripts/start-all.mjs
HighCommand Output Exfiltrationdist/index.js
HighSandbox Evasion Gated Capabilitydist/tools/clipboard.js
HighCloud Metadata Accessdist/connectors/confluence.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumSecret Patterndist/commands/patchworkInit.js
MediumDynamic Requiredist/pluginLoader.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/index.js
MediumShips Build Helperscripts/start-remote.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/connectors/vercel.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings