registry  /  privateer-agent  /  0.3.2

privateer-agent@0.3.2

Privateer — a provider-agnostic, safe-by-default terminal coding agent with TEE/Tinfoil attestation, rebuilt on the Pi toolkit. Bring your own model across 20 providers.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No install-time malicious behavior was found. The main risk is a first-party AI-agent extension setup performed by the explicit privateer CLI launcher, plus authenticated remote relay features aligned with the package purpose.

Static reason
No blocking static signals were detected.
Trigger
User runs the privateer CLI or enables remote access inside the agent
Impact
Agent config/extensions are modified for Privateer operation; remote relay may transmit bounded prompts, tool events, approvals, and user-selected files when enabled.
Mechanism
first-party agent extension shims and authenticated relay client
Rationale
Static inspection shows no unconsented install-time mutation, credential harvesting, destructive behavior, or remote payload execution. Because the CLI explicitly writes first-party extension shims into its agent control surface, this fits lifecycle-risk warning rather than a publish block.
Evidence
package.jsonbin/privateer-tuibin/privateer.mjssrc/auth/privateer.tssrc/remote/relayClient.tssrc/tools/sendFile.tssrc/tools/saveAttachment.tssrc/tools/routine.ts${PRIVATEER_HOME:-$HOME/.privateer}/agent/extensions/*.ts${PRIVATEER_HOME:-$HOME/.privateer}/agent/settings.json${PRIVATEER_HOME:-$HOME/.privateer}/credentials.json
Network endpoints7
helix-server-m1ac.onrender.com/auth/device/code/auth/device/token/auth/session/spawn/auth/refresh/relay/ticket/relay?ticket=...

Decision evidence

public snapshot
AI called this Suspicious at 84.0% confidence as Benign with medium false-positive risk.
Evidence for warning
  • bin/privateer-tui writes extension shim files under PRIVATEER_HOME/.privateer agent dir on explicit CLI launch
  • bin/privateer-tui updates agent settings.json quietStartup on explicit CLI launch
  • src/remote/relayClient.ts can relay prompts/events/files over WebSocket when remote access is enabled
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle scripts
  • bin entry is user-invoked CLI, not install-time execution
  • src/auth/privateer.ts validates server URL as https or loopback before sending tokens
  • src/remote/relayClient.ts redacts/truncates relay events and requires authenticated ticket
  • File send/save/routine tools are described as permission-gated user/agent actions
Behavioral surface
Source
CryptoDynamicRequireEnvironmentVarsFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 44 file(s), 216 KB of source, external domains: dashscope-intl.aliyuncs.com, helix-server-m1ac.onrender.com, openrouter.ai

Source & flagged code

1 flagged · loading source
bin/privateer.mjsView file
21register(); // resolves the repo's tsx regardless of the invocation cwd L22: await import(resolve(repo, "src/cli/chat.ts"));
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/privateer.mjsView on unpkg · L21

Findings

3 Medium4 Low
MediumDynamic Requirebin/privateer.mjs
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings