AI Security Review
scanned 2h ago · by lpm-firewall-aiAt worker runtime, management-agent tools can inspect Kubernetes and scale deployments. User/agent-provided namespace and deployment strings are shell-interpolated into `kubectl` commands, creating a command-injection-capable privileged control surface.
Static reason
No blocking static signals were detected.
Trigger
Starting a worker that loads the management agent, then invoking its resource-management tools.
Impact
Can scale infrastructure or execute shell syntax in the worker environment if tool arguments are attacker-controlled.
Mechanism
Agent-exposed kubectl execution with unsanitized shell interpolation.
Rationale
No malicious install, exfiltration, or hidden payload behavior was found. The exposed privileged shell-backed management capability is a concrete unresolved security risk and warrants a warning.
Evidence
package.jsondist/resourcemgr-tools.jsplugins/mgmt/agents/resourcemgr.agent.mdplugins/mgmt/skills/resourcemgr/tools.jsondist/session-store.jsapi/src/api-client.jsdist/index.jsapi/src/http-api-transport.jsdist/facts-store.jsdist/mcp-loader.jsdist/system-agents.js
Decision evidence
public snapshotAI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `dist/resourcemgr-tools.js` registers agent-callable infrastructure and cleanup tools.
- `scale_workers` interpolates namespace/deployment into `execSync` shell command.
- Management plugin exposes scaling and session-termination capabilities.
- `dist/session-store.js` invokes local `tar` for session persistence.
Evidence against
- `package.json` has no preinstall/install/postinstall/prepare lifecycle hook.
- No eval, Function, VM, or remote payload execution found.
- `api/src/api-client.js` only contacts caller-supplied `apiUrl`.
- No credential harvesting or fixed exfiltration endpoint found.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
WildcardDependency
Source & flagged code
1 flagged · loading sourcedist/facts-store.jsView file
139// load-bearing: it widens the type away from a string literal so TypeScript does
L140: // NOT eagerly type-resolve `import(HORIZON_STORE_PACKAGE)` at compile time.
L141: // Resolving it would pull pilotswarm-horizon-store's emitted .d.ts into this
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/facts-store.jsView on unpkg · L139Findings
4 Medium4 Low
MediumDynamic Requiredist/facts-store.js
MediumNetwork
MediumEnvironment Vars
MediumWildcard Dependency
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings