registry  /  pilotswarm-sdk  /  0.5.1

pilotswarm-sdk@0.5.1

A durable execution runtime for GitHub Copilot SDK agents. Crash recovery, durable timers, session dehydration, and multi-node scaling — powered by duroxide.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

A configured worker exposes Kubernetes management tools that construct shell commands from tool arguments without validation. This creates command-injection risk when an agent can invoke those tools.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Start a worker with a catalog, then invoke a resource-manager tool with crafted arguments.
Impact
Arbitrary commands may execute with the worker process privileges.
Mechanism
Unsanitized tool input interpolated into `execSync` shell commands.
Rationale
Source inspection found no lifecycle execution or covert exfiltration, but confirmed unescaped shell interpolation in automatically registered management tools. Treat as a high-risk remote-code-execution vulnerability rather than malicious package behavior.
Evidence
dist/resourcemgr-tools.jsdist/worker.jspackage.jsondist/session-store.jsapi/src/api-client.js

Decision evidence

public snapshot
AI called this Suspicious at 94.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
  • `dist/resourcemgr-tools.js` interpolates `namespace` into `execSync` shell commands.
  • `scale_workers` interpolates `deployment` and `replicas` into `kubectl scale` via `execSync`.
  • `dist/worker.js` auto-registers these resource-manager tools when a catalog is configured.
Evidence against
  • `package.json` has no preinstall/install/postinstall/prepare hooks.
  • Child-process use in `dist/session-store.js` is fixed `tar` arguments for session archives.
  • `api/src/api-client.js` sends requests only to caller-supplied `apiUrl`.
  • No credential harvesting or unsolicited exfiltration path was confirmed.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
WildcardDependency
scanned 152 file(s), 5.85 MB of source, external domains: ossrdbms-aad.database.windows.net

Source & flagged code

2 flagged · loading source
dist/facts-store.jsView file
139// load-bearing: it widens the type away from a string literal so TypeScript does L140: // NOT eagerly type-resolve `import(HORIZON_STORE_PACKAGE)` at compile time. L141: // Resolving it would pull pilotswarm-horizon-store's emitted .d.ts into this
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/facts-store.jsView on unpkg · L139
dist/session-store.jsView file
matchType = previous_version_dangerous_delta matchedPackage = pilotswarm-sdk@0.4.1 matchedIdentity = npm:cGlsb3Rzd2FybS1zZGs:0.4.1 similarity = 0.858 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/session-store.jsView on unpkg

Findings

1 High4 Medium4 Low
HighPrevious Version Dangerous Deltadist/session-store.js
MediumDynamic Requiredist/facts-store.js
MediumNetwork
MediumEnvironment Vars
MediumWildcard Dependency
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings