registry  /  portable-agent-layer  /  0.60.0

portable-agent-layer@0.60.0

PAL — Portable Agent Layer: persistent personal context for AI coding assistants

AI Security Review

scanned 2d ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package is an explicit AI-agent extension layer that can register hooks/plugins across several agent config directories. This is a real lifecycle/control-surface risk, but source inspection did not show unconsented npm install-time mutation or exfiltration.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs pal cli init, pal cli install, pal cli uninstall, pal session, or configured PAL agent hooks fire.
Impact
PAL hooks inject context, run safety checks, write PAL state, and may invoke local agent CLIs or configured model APIs during use.
Mechanism
explicit user-command agent hook/plugin installation and runtime helper spawning
Rationale
This is not malicious under the install-control-surface policy because broad agent configuration writes are explicit user-command setup or uninstall cleanup, not preinstall/install/postinstall behavior. The remaining risk is first-party agent extension lifecycle capability, so warn rather than block.
Evidence
package.jsonsrc/cli/index.tssrc/targets/codex/install.tssrc/targets/claude/install.tssrc/targets/opencode/install.tssrc/targets/cursor/install.tssrc/targets/copilot/install.tssrc/hooks/lib/inference.ts~/.claude/settings.json~/.codex/hooks.json~/.codex/config.toml~/.codex/rules/default.rules~/.config/opencode/plugins/pal-plugin.ts~/.config/opencode/config.json~/.cursor/hooks.json~/.copilot/hooks/pal-hooks.json~/.pal/
Network endpoints5
registry.npmjs.org/portable-agent-layer/latestapi.anthropic.com/v1/messagesapi.openai.com/v1/responseslocalhost:3000127.0.0.1:<dynamic-port>/

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json exposes bin pal -> src/cli/index.ts and lifecycle scripts prepare/uninstall, but no preinstall/install/postinstall hook.
  • src/cli/index.ts pal cli install runs bun install/playwright install and imports target installers for Claude, opencode, Cursor, Copilot, Codex.
  • src/targets/codex/install.ts writes ~/.codex/hooks.json, rules/default.rules, config.toml, and skills.
  • src/targets/claude/install.ts, cursor/install.ts, copilot/install.ts, opencode/install.ts register PAL hooks/plugins/skills in agent config directories.
  • src/hooks/lib/inference.ts can spawn claude/codex/opencode/copilot/cursor or call Anthropic/OpenAI APIs when user keys are configured.
Evidence against
  • Agent config mutation is behind explicit pal cli install/init or uninstall, not npm install-time.
  • .husky/install.mjs exits in production/no .git and only installs Husky for dev repos.
  • Network endpoints are package-aligned or user-invoked: npm registry update check, model APIs, localhost Fyzz tool, Playwright local server.
  • No source evidence of credential harvesting; API keys are read for configured model/tool calls and not printed.
  • Uninstallers remove PAL-owned hooks/plugins and preserve existing user config via merge/unmerge/backups.
  • Scanner child_process/shell hits are CLI/tool wrappers and agent integration logic, not hidden payload execution.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
WildcardDependency
scanned 180 file(s), 1.88 MB of source, external domains: 127.0.0.1, aistudio.google.com, api.anthropic.com, api.openai.com, api.perplexity.ai, api.x.ai, console.x.ai, generativelanguage.googleapis.com, github.com, nodejs.org, registry.npmjs.org, www.perplexity.ai

Source & flagged code

6 flagged · loading source
assets/skills/playwright/tools/shot.tsView file
14L15: import { spawnSync } from "node:child_process"; L16: import { existsSync, mkdtempSync, rmSync } from "node:fs";
High
Child Process

Package source references child process execution.

assets/skills/playwright/tools/shot.tsView on unpkg · L14
assets/skills/consulting-report/tools/dev.tsView file
30stdio: "inherit", L31: shell: true, L32: });
High
Shell

Package source references shell execution.

assets/skills/consulting-report/tools/dev.tsView on unpkg · L30
assets/skills/consulting-report/tools/generate-pdf.tsView file
87} L88: const mod = (await import(pathToFileURL(dataPath).href)) as { L89: reportData?: ReportMeta;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

assets/skills/consulting-report/tools/generate-pdf.tsView on unpkg · L87
src/cli/index.tsView file
matchType = previous_version_dangerous_delta matchedPackage = portable-agent-layer@0.59.0 matchedIdentity = npm:cG9ydGFibGUtYWdlbnQtbGF5ZXI:0.59.0 similarity = 0.958 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/cli/index.tsView on unpkg
1057log.info("Installing dependencies..."); L1058: const deps = spawnSync("bun", ["install", "--frozen-lockfile"], { L1059: cwd: pkg, ... L1063: if (deps.status !== 0) { L1064: log.warn("bun install failed — continuing anyway, but hooks may not work"); L1065: }
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

src/cli/index.tsView on unpkg · L1057
assets/statusline.ps1View file
path = assets/statusline.ps1 kind = build_helper sizeBytes = 9857 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

assets/statusline.ps1View on unpkg

Findings

1 Critical3 High6 Medium5 Low
CriticalPrevious Version Dangerous Deltasrc/cli/index.ts
HighChild Processassets/skills/playwright/tools/shot.ts
HighShellassets/skills/consulting-report/tools/dev.ts
HighRuntime Package Installsrc/cli/index.ts
MediumDynamic Requireassets/skills/consulting-report/tools/generate-pdf.ts
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperassets/statusline.ps1
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings