registry  /  pilotswarm-sdk  /  0.5.12

pilotswarm-sdk@0.5.12

A durable execution runtime for GitHub Copilot SDK agents. Crash recovery, durable timers, session dehydration, and multi-node scaling — powered by duroxide.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

At runtime, a system agent can invoke auto-registered resource-manager tools. The worker shell-interpolates tool-controlled Kubernetes identifiers, enabling command injection in a configured deployment.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Start a configured PilotSwarm worker and cause the `resourcemgr` agent/tool to call `scale_workers` or infrastructure stats with crafted arguments.
Impact
Arbitrary commands may run with the worker process permissions; Kubernetes operations are also exposed intentionally.
Mechanism
Unvalidated shell interpolation into `execSync` kubectl commands.
Rationale
This is a concrete runtime command-injection vulnerability in a package-owned AI-agent control path, not install-time malware. Flag as warn rather than block because activation requires configured runtime and an agent tool call.
Evidence
package.jsondist/worker.jsdist/resourcemgr-tools.jsplugins/mgmt/agents/resourcemgr.agent.mddist/mcp-loader.jsdist/facts-store.js

Decision evidence

public snapshot
AI called this Suspicious at 96.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
  • `dist/resourcemgr-tools.js` builds `kubectl` shell strings from tool arguments.
  • `scale_workers` accepts unconstrained `namespace` and `deployment` before `execSync`.
  • `dist/worker.js` auto-registers resource-manager tools when a catalog is configured.
  • Packaged `resourcemgr.agent.md` grants `scale_workers` to a system agent.
Evidence against
  • `package.json` has no preinstall/install/postinstall/prepare hooks.
  • `dist/mcp-loader.js` only reads plugin `.mcp.json`; it does not execute commands.
  • `dist/facts-store.js` dynamic import is limited to named optional providers.
  • No source evidence of secret harvesting or exfiltration.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
WildcardDependency
scanned 152 file(s), 5.90 MB of source, external domains: ossrdbms-aad.database.windows.net

Source & flagged code

2 flagged · loading source
dist/facts-store.jsView file
139// load-bearing: it widens the type away from a string literal so TypeScript does L140: // NOT eagerly type-resolve `import(HORIZON_STORE_PACKAGE)` at compile time. L141: // Resolving it would pull pilotswarm-horizon-store's emitted .d.ts into this
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/facts-store.jsView on unpkg · L139
dist/session-store.jsView file
matchType = previous_version_dangerous_delta matchedPackage = pilotswarm-sdk@0.5.11 matchedIdentity = npm:cGlsb3Rzd2FybS1zZGs:0.5.11 similarity = 0.975 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/session-store.jsView on unpkg

Findings

1 High4 Medium4 Low
HighPrevious Version Dangerous Deltadist/session-store.js
MediumDynamic Requiredist/facts-store.js
MediumNetwork
MediumEnvironment Vars
MediumWildcard Dependency
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings