registry  /  quay-ai-factory  /  0.5.0

quay-ai-factory@0.5.0

Quay — Autonomous AI Software Factory. Self-hosted AI agents, MCP integration, customizable pipelines, real-time Mission Control dashboard, cost transparency, and full audit trails.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

At runtime, authenticated pipeline execution can let LLM output invoke configured MCP tools or issue an arbitrary command to a configured sandbox executor. This is an intentional agent-orchestration capability, not install-time behavior.

Static reason
No blocking static signals were detected.
Trigger
User starts the server and runs a pipeline with configured agents, sandbox, or MCP servers.
Impact
Configured sandbox commands and MCP tools can access whatever permissions their external services or child processes receive.
Mechanism
LLM-directed sandbox command execution and configured MCP subprocess launching.
Rationale
The package contains a concrete, powerful LLM-directed command-execution path and MCP subprocess launcher, creating dangerous dual-use risk. Direct inspection found no malicious install hook, credential exfiltration, or unauthorized AI-agent control-surface mutation.
Evidence
package.jsonsrc/server/index.tssrc/server/agents/agentRunner.tssrc/server/mcp/index.tssrc/server/db/index.tssrc/lib/agentfile.ts
Network endpoints6
api.openai.com/v1api.anthropic.com/v1generativelanguage.googleapis.com/v1betaapi.cerebras.ai/v1api.groq.com/openai/v1openrouter.ai/api/v1

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `src/server/agents/agentRunner.ts` sends model-selected `bash`/`shell` commands to a configured sandbox `/exec` endpoint.
  • `src/server/mcp/index.ts` spawns configured MCP server commands with inherited environment variables.
  • `src/server/agents/agentRunner.ts` sends prompts to configured LLM provider APIs using environment API keys.
Evidence against
  • `package.json` has only `prepare`, which runs Svelte synchronization and no install-time payload.
  • MCP default server configuration is empty; source does not auto-start a bundled external command.
  • No source evidence of credential harvesting, hidden file collection, remote payload download, or foreign AI-agent config mutation.
  • Provider network calls are aligned with the declared self-hosted AI orchestration purpose.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 52 file(s), 272 KB of source, external domains: api.anthropic.com, api.cerebras.ai, api.groq.com, api.openai.com, api.together.xyz, generativelanguage.googleapis.com, github.com, openrouter.ai

Source & flagged code

2 flagged · loading source
src/lib/memory.tsView file
457*/ L458: import(agentId: string, data: { memories?: MemoryBlock[]; trajectories?: Trajectory[] }): void { L459: if (data.memories) {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

src/lib/memory.tsView on unpkg · L457
scripts/test-quay.shView file
path = scripts/test-quay.sh kind = build_helper sizeBytes = 27475 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/test-quay.shView on unpkg

Findings

5 Medium5 Low
MediumDynamic Requiresrc/lib/memory.ts
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperscripts/test-quay.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings