registry  /  pilotswarm-sdk  /  0.4.0

pilotswarm-sdk@0.4.0

A durable execution runtime for GitHub Copilot SDK agents. Crash recovery, durable timers, session dehydration, and multi-node scaling — powered by duroxide.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

At worker runtime, management-agent tools can inspect Kubernetes and scale deployments. User/agent-provided namespace and deployment strings are shell-interpolated into `kubectl` commands, creating a command-injection-capable privileged control surface.

Static reason
No blocking static signals were detected.
Trigger
Starting a worker that loads the management agent, then invoking its resource-management tools.
Impact
Can scale infrastructure or execute shell syntax in the worker environment if tool arguments are attacker-controlled.
Mechanism
Agent-exposed kubectl execution with unsanitized shell interpolation.
Rationale
No malicious install, exfiltration, or hidden payload behavior was found. The exposed privileged shell-backed management capability is a concrete unresolved security risk and warrants a warning.
Evidence
package.jsondist/resourcemgr-tools.jsplugins/mgmt/agents/resourcemgr.agent.mdplugins/mgmt/skills/resourcemgr/tools.jsondist/session-store.jsapi/src/api-client.jsdist/index.jsapi/src/http-api-transport.jsdist/facts-store.jsdist/mcp-loader.jsdist/system-agents.js

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/resourcemgr-tools.js` registers agent-callable infrastructure and cleanup tools.
  • `scale_workers` interpolates namespace/deployment into `execSync` shell command.
  • Management plugin exposes scaling and session-termination capabilities.
  • `dist/session-store.js` invokes local `tar` for session persistence.
Evidence against
  • `package.json` has no preinstall/install/postinstall/prepare lifecycle hook.
  • No eval, Function, VM, or remote payload execution found.
  • `api/src/api-client.js` only contacts caller-supplied `apiUrl`.
  • No credential harvesting or fixed exfiltration endpoint found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
WildcardDependency
scanned 125 file(s), 5.21 MB of source, external domains: ossrdbms-aad.database.windows.net

Source & flagged code

1 flagged · loading source
dist/facts-store.jsView file
139// load-bearing: it widens the type away from a string literal so TypeScript does L140: // NOT eagerly type-resolve `import(HORIZON_STORE_PACKAGE)` at compile time. L141: // Resolving it would pull pilotswarm-horizon-store's emitted .d.ts into this
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/facts-store.jsView on unpkg · L139

Findings

4 Medium4 Low
MediumDynamic Requiredist/facts-store.js
MediumNetwork
MediumEnvironment Vars
MediumWildcard Dependency
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings