AI Security Review
scanned 2h ago · by lpm-firewall-aiA configured worker exposes Kubernetes management tools that construct shell commands from tool arguments without validation. This creates command-injection risk when an agent can invoke those tools.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Start a worker with a catalog, then invoke a resource-manager tool with crafted arguments.
Impact
Arbitrary commands may execute with the worker process privileges.
Mechanism
Unsanitized tool input interpolated into `execSync` shell commands.
Rationale
Source inspection found no lifecycle execution or covert exfiltration, but confirmed unescaped shell interpolation in automatically registered management tools. Treat as a high-risk remote-code-execution vulnerability rather than malicious package behavior.
Evidence
dist/resourcemgr-tools.jsdist/worker.jspackage.jsondist/session-store.jsapi/src/api-client.js
Decision evidence
public snapshotAI called this Suspicious at 94.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
- `dist/resourcemgr-tools.js` interpolates `namespace` into `execSync` shell commands.
- `scale_workers` interpolates `deployment` and `replicas` into `kubectl scale` via `execSync`.
- `dist/worker.js` auto-registers these resource-manager tools when a catalog is configured.
Evidence against
- `package.json` has no preinstall/install/postinstall/prepare hooks.
- Child-process use in `dist/session-store.js` is fixed `tar` arguments for session archives.
- `api/src/api-client.js` sends requests only to caller-supplied `apiUrl`.
- No credential harvesting or unsolicited exfiltration path was confirmed.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
WildcardDependency
Source & flagged code
2 flagged · loading sourcedist/facts-store.jsView file
139// load-bearing: it widens the type away from a string literal so TypeScript does
L140: // NOT eagerly type-resolve `import(HORIZON_STORE_PACKAGE)` at compile time.
L141: // Resolving it would pull pilotswarm-horizon-store's emitted .d.ts into this
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/facts-store.jsView on unpkg · L139dist/session-store.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = pilotswarm-sdk@0.4.1
matchedIdentity = npm:cGlsb3Rzd2FybS1zZGs:0.4.1
similarity = 0.858
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/session-store.jsView on unpkgFindings
1 High4 Medium4 Low
HighPrevious Version Dangerous Deltadist/session-store.js
MediumDynamic Requiredist/facts-store.js
MediumNetwork
MediumEnvironment Vars
MediumWildcard Dependency
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings