registry  /  phantomx-tool-client  /  1.0.6

phantomx-tool-client@1.0.6

Self-hosted tool-server client that connects to a remote orchestration server and executes tools locally

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `tool-server` or imports `dist/tool-server.js` with task, workspace, token, and server URL arguments.
Impact
A connected controller can read or modify local files and execute commands as the invoking user.
Mechanism
Socket-controlled local file operations and arbitrary Bash command execution
Rationale
Source establishes a real dangerous remote-control capability with broad local effects, but it is activated only by explicit runtime use and contains no concrete covert malicious chain. The noisy dependency hints do not alter the source-grounded finding.
Evidence
package.jsonbin/tool-server.jsdist/tool-server.jsdist/toolExecutionService.jsdist/Services/ReadFileTool.jsdist/Services/EditTool.jsdist/githubOperationsHanlder.js
Network endpoints1
api.github.com

Decision evidence

public snapshot
AI called this Suspicious at 93.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/tool-server.js` auto-runs `main()` on import.
  • CLI accepts an arbitrary server URL and connects via Socket.IO.
  • Remote socket events can request reads and edits using absolute paths.
  • `Execute_commmand_host_machine` runs supplied commands through `bash -lc`.
  • Startup globally sets Git `safe.directory` to `*`, with a sudo fallback.
Evidence against
  • `package.json` has only `prepare: tsc`; no preinstall/install/postinstall hook.
  • Remote access begins only when the CLI/import is run with controller arguments.
  • Observed GitHub traffic is package-aligned (`api.github.com`) using supplied PAT.
  • No hidden endpoint, encoded payload, eval, dynamic loader, or self-propagation found.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 7 file(s), 150 KB of source, external domains: api.github.com, github.com

Source & flagged code

2 flagged · loading source
package.jsonView file
Runtime dependency names matching Node built-ins: fs, http, path
High
Node Builtin Dependency Squat

Package declares a runtime dependency whose name matches a Node built-in module.

package.jsonView on unpkg
dist/githubOperationsHanlder.jsView file
matchType = previous_version_dangerous_delta matchedPackage = phantomx-tool-client@1.0.5 matchedIdentity = npm:cGhhbnRvbXgtdG9vbC1jbGllbnQ:1.0.5 similarity = 0.714 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/githubOperationsHanlder.jsView on unpkg

Findings

2 High2 Medium5 Low
HighNode Builtin Dependency Squatpackage.json
HighPrevious Version Dangerous Deltadist/githubOperationsHanlder.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings