registry  /  talon-agent  /  1.33.0

talon-agent@1.33.0

Multi-frontend AI agent with full tool access, streaming, cron jobs, and plugin system

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No malicious install-time attack surface is established. The package is a user-invoked AI agent CLI with runtime MCP/plugin execution and Codex auto-approval of Talon-owned MCP tools, which is package-aligned but security-sensitive.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
user runs talon, talon setup, or starts configured agent backends/plugins
Impact
User-configured agent tools and plugins can act with the agent's local permissions; no unconsented package install action was found.
Mechanism
runtime AI agent orchestration with MCP/plugin subprocesses
Rationale
Source inspection does not confirm malware or unconsented install-time mutation; risky primitives are tied to the package's stated AI agent, plugin, and backend functionality. The Codex MCP auto-approval and dynamic plugin/MCP execution justify a warning rather than a publish block.
Evidence
package.jsonbin/talon.jssrc/cli.tssrc/cli/setup.tssrc/cli/config.tssrc/core/plugin/loader.tssrc/core/plugin/registry.tssrc/util/mcp-launcher.tssrc/backend/codex/mcp-config.tssrc/backend/codex/init.tssrc/frontend/discord/formatting.ts~/.talon/config.json~/.talon/data/talon.db~/.talon/workspace/~/.codex/auth.json
Network endpoints7
api.openai.com/v1login.microsoftonline.comgraph.microsoft.com/v1.0api.telegram.orgdiscord.comopenrouter.ai/api/v1127.0.0.1

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • src/backend/codex/mcp-config.ts sets Talon MCP servers default_tools_approval_mode to approve for Codex runtime.
  • src/core/plugin/loader.ts dynamically imports user-configured plugin paths and applies plugin env vars.
  • src/util/mcp-launcher.ts spawns configured MCP child commands under a supervisor.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks.
  • bin/talon.js only bootstraps tsx and src/cli.ts for user-invoked CLI use.
  • src/cli/setup.ts explicitly prompts before saving service tokens/config via src/cli/config.ts.
  • src/frontend/discord/formatting.ts Unicode is zero-width mention suppression, not hidden control flow.
  • No source evidence of credential harvesting, exfiltration, destructive install behavior, or broad unconsented agent config mutation.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 414 file(s), 2.35 MB of source, external domains: 127.0.0.1, adaptivecards.io, api.openai.com, api.telegram.org, discord.com, example.com, graph.microsoft.com, login.microsoftonline.com, maps.google.com, my.telegram.org, openrouter.ai, prod-xx.westus.logic.azure.com

Source & flagged code

4 flagged · loading source
src/core/plugin/registry.tsView file
118// Convert absolute filesystem paths to file:// URLs on Windows where L119: // dynamic import() rejects bare drive-letter paths (e.g. C:\...). L120: // Leave node: specifiers, relative paths, and URLs unchanged.
Medium
Dynamic Require

Package source references dynamic require/import behavior.

src/core/plugin/registry.tsView on unpkg · L118
src/core/soul/embedder.tsView file
111L112: private embedOne(text: string): number[] { L113: const vec = new Array<number>(this.dim).fill(0);
Low
Weak Crypto

Package source references weak cryptographic algorithms.

src/core/soul/embedder.tsView on unpkg · L111
bin/talon.jsView file
1package = talon-agent; repositoryIdentity = talon; dependency = tsx L1: #!/usr/bin/env node L2: import("tsx").then(() => import("../src/cli.ts")).catch((err) => { L3: console.error("Failed to start Talon:", err.message);
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

bin/talon.jsView on unpkg · L1
src/frontend/discord/formatting.tsView file
74contains invisible/control Unicode U+200B (zero width space) return text.replace(/```/g, "`<U+200B>``");
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

src/frontend/discord/formatting.tsView on unpkg · L74

Findings

1 Critical1 High4 Medium5 Low
CriticalTrojan Source Unicodesrc/frontend/discord/formatting.ts
HighCopied Package Dependency Bridgebin/talon.js
MediumDynamic Requiresrc/core/plugin/registry.ts
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptosrc/core/soul/embedder.ts
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings