registry  /  phantomx-tool-client  /  1.0.5

phantomx-tool-client@1.0.5

Self-hosted tool-server client that connects to a remote orchestration server and executes tools locally

AI Security Review

scanned 2h ago · by lpm-firewall-ai

When the CLI is invoked, a server chosen by the caller can issue arbitrary shell commands, start detached processes, and read or edit local paths. The client also weakens Git's global safe-directory protection.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `tool-server` with a server URL and workspace arguments.
Impact
A connected orchestration server can execute code, access local files, alter files, and persist child processes on the invoking host.
Mechanism
Remote Socket.IO command-and-file-control client using `bash -lc`.
Rationale
Source inspection confirms dangerous remote code execution and local file-control capability, but activation requires explicit CLI use and a user-supplied server endpoint. Treat as a warning for dangerous dual-use functionality rather than a publish block.
Evidence
package.jsonbin/tool-server.jsdist/tool-server.jsdist/toolExecutionService.jsdist/Services/EditTool.jsdist/Services/ReadFileTool.js~/.gitconfig

Decision evidence

public snapshot
AI called this Suspicious at 96.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/tool-server.js` accepts Socket.IO requests from a runtime-supplied server URL.
  • `dist/toolExecutionService.js` passes remote command input to `bash -lc` without an allowlist.
  • `dist/tool-server.js` forwards remote absolute-path read requests and returns contents over the socket.
  • `dist/Services/EditTool.js` applies remote edit requests to supplied file paths.
  • `dist/tool-server.js` automatically runs global `git safe.directory '*'`, with a `sudo` fallback.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall`; `prepare` only runs `tsc`.
  • The remote-control behavior is activated only when the user invokes the CLI with arguments.
  • No hard-coded exfiltration host, encoded payload, or hidden import-time network call was found.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 7 file(s), 148 KB of source, external domains: api.github.com, github.com

Source & flagged code

2 flagged · loading source
package.jsonView file
Runtime dependency names matching Node built-ins: fs, http, path
High
Node Builtin Dependency Squat

Package declares a runtime dependency whose name matches a Node built-in module.

package.jsonView on unpkg
dist/githubOperationsHanlder.jsView file
matchType = previous_version_dangerous_delta matchedPackage = phantomx-tool-client@1.0.0 matchedIdentity = npm:cGhhbnRvbXgtdG9vbC1jbGllbnQ:1.0.0 similarity = 0.571 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/githubOperationsHanlder.jsView on unpkg

Findings

2 High2 Medium5 Low
HighNode Builtin Dependency Squatpackage.json
HighPrevious Version Dangerous Deltadist/githubOperationsHanlder.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings