AI Security Review
scanned 2h ago · by lpm-firewall-aiAt runtime, a system agent can invoke auto-registered resource-manager tools. The worker shell-interpolates tool-controlled Kubernetes identifiers, enabling command injection in a configured deployment.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Start a configured PilotSwarm worker and cause the `resourcemgr` agent/tool to call `scale_workers` or infrastructure stats with crafted arguments.
Impact
Arbitrary commands may run with the worker process permissions; Kubernetes operations are also exposed intentionally.
Mechanism
Unvalidated shell interpolation into `execSync` kubectl commands.
Rationale
This is a concrete runtime command-injection vulnerability in a package-owned AI-agent control path, not install-time malware. Flag as warn rather than block because activation requires configured runtime and an agent tool call.
Evidence
package.jsondist/worker.jsdist/resourcemgr-tools.jsplugins/mgmt/agents/resourcemgr.agent.mddist/mcp-loader.jsdist/facts-store.js
Decision evidence
public snapshotAI called this Suspicious at 96.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
- `dist/resourcemgr-tools.js` builds `kubectl` shell strings from tool arguments.
- `scale_workers` accepts unconstrained `namespace` and `deployment` before `execSync`.
- `dist/worker.js` auto-registers resource-manager tools when a catalog is configured.
- Packaged `resourcemgr.agent.md` grants `scale_workers` to a system agent.
Evidence against
- `package.json` has no preinstall/install/postinstall/prepare hooks.
- `dist/mcp-loader.js` only reads plugin `.mcp.json`; it does not execute commands.
- `dist/facts-store.js` dynamic import is limited to named optional providers.
- No source evidence of secret harvesting or exfiltration.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
WildcardDependency
Source & flagged code
2 flagged · loading sourcedist/facts-store.jsView file
139// load-bearing: it widens the type away from a string literal so TypeScript does
L140: // NOT eagerly type-resolve `import(HORIZON_STORE_PACKAGE)` at compile time.
L141: // Resolving it would pull pilotswarm-horizon-store's emitted .d.ts into this
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/facts-store.jsView on unpkg · L139dist/session-store.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = pilotswarm-sdk@0.5.11
matchedIdentity = npm:cGlsb3Rzd2FybS1zZGs:0.5.11
similarity = 0.975
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/session-store.jsView on unpkgFindings
1 High4 Medium4 Low
HighPrevious Version Dangerous Deltadist/session-store.js
MediumDynamic Requiredist/facts-store.js
MediumNetwork
MediumEnvironment Vars
MediumWildcard Dependency
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings