registry  /  pilotswarm-sdk  /  0.3.2

pilotswarm-sdk@0.3.2

A durable execution runtime for GitHub Copilot SDK agents. Crash recovery, durable timers, session dehydration, and multi-node scaling — powered by duroxide.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Runtime resource-manager tools invoke `kubectl` through shell-interpreted `execSync` strings. Unvalidated tool arguments can alter the command beyond the intended Kubernetes operation.

Static reason
No blocking static signals were detected.
Trigger
A worker registers `createResourceManagerTools` and an agent/user invokes infrastructure or scaling tools with crafted namespace or deployment input.
Impact
Arbitrary commands may run with the worker process privileges and its configured Kubernetes credentials.
Mechanism
Shell command injection through interpolated `kubectl` arguments.
Rationale
Source inspection found a concrete runtime shell-injection vulnerability but no malicious install hook, exfiltration chain, or stealth behavior. Warn rather than block as a critical vulnerability in an explicitly registered management capability.
Evidence
package.jsondist/index.jsdist/facts-store.jsdist/resourcemgr-tools.jsplugins/mgmt/agents/resourcemgr.agent.mddist/session-store.js

Decision evidence

public snapshot
AI called this Suspicious at 93.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
  • `dist/resourcemgr-tools.js` interpolates tool-supplied namespace/deployment into `execSync` shell commands.
  • `scale_workers` can execute injected shell syntax through unvalidated `namespace` or `deployment` parameters.
  • Packaged Resource Manager agent exposes `scale_workers` to an LLM-controlled tool surface.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
  • `dist/index.js` only re-exports modules; import does not trigger command execution.
  • Dynamic import in `dist/facts-store.js` loads the explicitly selected optional Horizon peer.
  • No hard-coded exfiltration endpoint, credential harvesting, or stealth persistence was found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
WildcardDependency
scanned 108 file(s), 4.92 MB of source, external domains: ossrdbms-aad.database.windows.net

Source & flagged code

1 flagged · loading source
dist/facts-store.jsView file
139// load-bearing: it widens the type away from a string literal so TypeScript does L140: // NOT eagerly type-resolve `import(HORIZON_STORE_PACKAGE)` at compile time. L141: // Resolving it would pull pilotswarm-horizon-store's emitted .d.ts into this
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/facts-store.jsView on unpkg · L139

Findings

3 Medium4 Low
MediumDynamic Requiredist/facts-store.js
MediumEnvironment Vars
MediumWildcard Dependency
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings