registry  /  pilotswarm-sdk  /  0.3.3

pilotswarm-sdk@0.3.3

A durable execution runtime for GitHub Copilot SDK agents. Crash recovery, durable timers, session dehydration, and multi-node scaling — powered by duroxide.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

A started worker loads management-agent tooling by default. Resource-manager tool arguments reach shell-interpolated `kubectl` commands without validation, enabling command injection if an attacker can cause tool invocation with crafted arguments.

Static reason
No blocking static signals were detected.
Trigger
Start a PilotSwarm worker, then invoke or prompt the resource-manager agent to use infrastructure tools.
Impact
Commands run with the worker process's privileges and configured Kubernetes credentials.
Mechanism
Shell command injection through unescaped Kubernetes tool arguments.
Rationale
Source inspection found a concrete runtime command-injection vulnerability and privileged AI-agent capability, but no evidence of intentionally malicious installation behavior, covert persistence, or exfiltration.
Evidence
package.jsondist/worker.jsdist/resourcemgr-tools.jsplugins/mgmt/agents/resourcemgr.agent.mddist/facts-store.js

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
  • `dist/resourcemgr-tools.js` interpolates tool-supplied namespace/deployment into `execSync` shell commands.
  • Management plugins load by default and the worker auto-starts their system agents.
  • The bundled resource-manager agent exposes infrastructure and scaling tools.
Evidence against
  • `package.json` has no preinstall/install/postinstall hooks or bin entry.
  • `dist/index.js` only exports SDK APIs; import alone does not invoke shell commands.
  • `dist/facts-store.js` dynamic import is a fixed optional peer dependency, not user-controlled code loading.
  • No credential harvesting or package-owned exfiltration endpoint was found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
WildcardDependency
scanned 116 file(s), 5.12 MB of source, external domains: ossrdbms-aad.database.windows.net

Source & flagged code

1 flagged · loading source
dist/facts-store.jsView file
139// load-bearing: it widens the type away from a string literal so TypeScript does L140: // NOT eagerly type-resolve `import(HORIZON_STORE_PACKAGE)` at compile time. L141: // Resolving it would pull pilotswarm-horizon-store's emitted .d.ts into this
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/facts-store.jsView on unpkg · L139

Findings

3 Medium4 Low
MediumDynamic Requiredist/facts-store.js
MediumEnvironment Vars
MediumWildcard Dependency
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings