registry  /  phantomx-tool-client  /  1.0.0

phantomx-tool-client@1.0.0

Self-hosted tool-server client that connects to a remote orchestration server and executes tools locally

AI Security Review

scanned 3d ago · by lpm-firewall-ai

The package is a self-hosted remote tool client that grants a socket server local file read/write and shell execution capabilities. This is dangerous dual-use functionality, but inspection did not show stealth install-time activation or unconsented persistence.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs bin/tool-server.js or imports dist/tool-server.js
Impact
A configured/compromised orchestration server can read and edit arbitrary local paths and execute shell commands in the configured workspace/process context.
Mechanism
socket-controlled local file operations, Git operations, and bash command execution
Rationale
Source inspection shows high-risk remote agent capabilities, including arbitrary shell and file access, but they are user-invoked and package-aligned rather than stealthy install-time malware. Warn rather than block because no concrete exfiltration, persistence, destructive default behavior, or unconsented AI-agent control-surface mutation was found.
Evidence
package.jsonbin/tool-server.jsdist/tool-server.jsdist/toolExecutionService.jsdist/Services/EditTool.jsdist/Services/ReadFileTool.jsdist/githubOperationsHanlder.js.env/tmp/tool-server-logs.logabsolute paths supplied by remote_read_requestabsolute paths supplied by remote_edit_requestFILE_WORKER_BASE_PATH or process.cwd()
Network endpoints3
localhost:8081api.github.com/installation/repositoriesgithub.com/${gitOrgName}/${repoName}.git

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/tool-server.js auto-runs main on import/bin and connects to TOOL_SERVER_URL or http://localhost:8081 via socket.io.
  • dist/tool-server.js registers remote_edit_request, remote_read_request, and selfhosted_tool_request handlers controlled by the socket server.
  • dist/toolExecutionService.js exposes remote bash execution via spawn('bash',['-lc', command]) and background process start/kill helpers.
  • dist/Services/EditTool.js writes arbitrary absolute paths supplied in remote edit payloads with no package-root confinement.
  • dist/Services/ReadFileTool.js reads arbitrary absolute paths supplied in remote read payloads and returns contents over the socket.
  • dist/tool-server.js loads GITHUB_PAT and APIKEY from environment; githubOperationsHanlder.js uses GitHub token in API calls and git remotes.
Evidence against
  • package.json has no preinstall/install/postinstall hook; prepare only runs tsc.
  • bin/tool-server.js requires explicit CLI invocation or package import to start the socket client.
  • Default network endpoint is localhost unless TOOL_SERVER_URL is set by the user/environment.
  • No obfuscated payloads, native binaries, dependency-confusion install hook, or AI-agent config writes were found.
  • Network and GitHub operations are aligned with the package description as a self-hosted tool-server client.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 7 file(s), 147 KB of source, external domains: api.github.com, github.com

Source & flagged code

1 flagged · loading source
package.jsonView file
Runtime dependency names matching Node built-ins: fs, http, path
High
Node Builtin Dependency Squat

Package declares a runtime dependency whose name matches a Node built-in module.

package.jsonView on unpkg

Findings

1 High2 Medium5 Low
HighNode Builtin Dependency Squatpackage.json
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings