registry  /  phantomx-tool-client  /  1.0.8

phantomx-tool-client@1.0.8

Self-hosted tool-server client that connects to a remote orchestration server and executes tools locally

AI Security Review

scanned 2h ago · by lpm-firewall-ai

A user-invoked or imported client connects to a runtime-selected Socket.IO server. That server can request arbitrary shell commands, file reads, and edits; command output and file contents are returned to it.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Running `tool-server` or importing `dist/tool-server.js` with a server URL argument.
Impact
A controlling server can execute commands on the host and exfiltrate readable file contents, including command output.
Mechanism
Remote Socket.IO-controlled shell execution and unrestricted absolute-path file operations.
Rationale
The package exposes a high-risk remote command-and-file-control channel controlled by a runtime-selected server. It is not proven malicious because it lacks install-time execution, a fixed attacker endpoint, or concealment, but warrants a warning as dangerous capability.
Evidence
package.jsonbin/tool-server.jsdist/tool-server.jsdist/toolExecutionService.jsdist/Services/EditTool.jsdist/Services/ReadFileTool.jsdist/githubOperationsHanlder.js
Network endpoints1
api.github.com

Decision evidence

public snapshot
AI called this Suspicious at 96.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `dist/tool-server.js` accepts Socket.IO requests from a runtime-supplied `SERVER_URL`.
  • `dist/toolExecutionService.js` runs remote command strings with `bash -lc` on the host.
  • Remote `Execute_commmand_host_machine` and background-process tools provide arbitrary host execution.
  • `remote_read_request` reads caller-supplied absolute paths and returns contents over the socket.
  • `remote_edit_request` applies socket-supplied edits to absolute file paths.
  • `dist/githubOperationsHanlder.js` uses the supplied GitHub PAT for GitHub API and git operations.
Evidence against
  • `package.json` only defines `prepare`; no preinstall/install/postinstall hook exists.
  • No hard-coded non-GitHub network endpoint, stealth payload download, or obfuscated payload was found.
  • The manifest describes a self-hosted remote tool client, aligning with the exposed capability.
  • GitHub traffic targets the package-aligned `https://api.github.com` endpoint.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 7 file(s), 170 KB of source, external domains: api.github.com, github.com

Source & flagged code

2 flagged · loading source
package.jsonView file
Runtime dependency names matching Node built-ins: fs, http, path
High
Node Builtin Dependency Squat

Package declares a runtime dependency whose name matches a Node built-in module.

package.jsonView on unpkg
dist/githubOperationsHanlder.jsView file
matchType = previous_version_dangerous_delta matchedPackage = phantomx-tool-client@1.0.7 matchedIdentity = npm:cGhhbnRvbXgtdG9vbC1jbGllbnQ:1.0.7 similarity = 0.857 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/githubOperationsHanlder.jsView on unpkg

Findings

2 High2 Medium5 Low
HighNode Builtin Dependency Squatpackage.json
HighPrevious Version Dangerous Deltadist/githubOperationsHanlder.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings