registry  /  talon-agent  /  1.36.0

talon-agent@1.36.0

Multi-frontend AI agent with full tool access, streaming, cron jobs, and plugin system

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No concrete supply-chain malware was found, but the package intentionally provides a powerful user-invoked AI agent runtime. It can expose shell, filesystem, plugin, MCP, and messaging capabilities to configured backends.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User runs talon setup/start/chat or enables configured plugins/backends.
Impact
Configured agents can execute commands, read/write files, use networked chat/API services, and run configured plugins under the user's account.
Mechanism
user-invoked AI agent tool surface with shell/filesystem/MCP/plugin capabilities
Rationale
Static source inspection does not support the scanner's malicious verdict; the dangerous primitives are package-aligned and user-invoked, but broad enough to warrant a warning rather than a clean allow. No concrete malware chain or install-time attack surface was confirmed.
Evidence
package.jsonbin/talon.jssrc/cli.tssrc/cli/setup.tssrc/core/engine/gateway-actions/native.tssrc/backend/codex/mcp-config.tssrc/core/plugin/loader.tssrc/util/paths.tssrc/frontend/discord/formatting.tsREADME.md~/.talon/config.json~/.talon/data/talon.db~/.talon/workspace/~/.talon/.user-session
Network endpoints6
my.telegram.orgdiscord.com/developers/applicationsopenrouter.ai/api/v1api.openai.com/v1graph.microsoft.com/v1.0login.microsoftonline.com

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • src/core/engine/gateway-actions/native.ts exposes runtime AI tools for bash/read/write/edit/search, including local spawn("bash", ["-c", cmd]) and file writes.
  • src/backend/codex/mcp-config.ts sets Talon MCP servers default_tools_approval_mode to "approve" for Codex backend.
  • src/core/plugin/loader.ts dynamically imports user-configured plugin paths and applies plugin-provided env vars.
  • README.md describes the package as an agent harness with full MCP tool access, background agents, triggers, and plugins.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks.
  • bin/talon.js only imports tsx then src/cli.ts; execution requires the user invoking the talon CLI.
  • src/cli/setup.ts is an explicit interactive setup that writes Talon config from user-supplied values.
  • src/backend/codex/mcp-config.ts uses per-process Codex config overrides, not writes to ~/.codex/config.toml.
  • src/frontend/discord/formatting.ts Unicode is used in text/mention formatting, not hidden control-flow logic.
  • Network hosts observed are product-aligned: Telegram, Discord, Microsoft Graph, OpenAI/Codex, OpenRouter, local 127.0.0.1 bridges.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 430 file(s), 2.47 MB of source, external domains: 127.0.0.1, adaptivecards.io, api.openai.com, api.telegram.org, discord.com, example.com, graph.microsoft.com, login.microsoftonline.com, maps.google.com, my.telegram.org, openrouter.ai, prod-xx.westus.logic.azure.com

Source & flagged code

5 flagged · loading source
src/core/plugin/registry.tsView file
118// Convert absolute filesystem paths to file:// URLs on Windows where L119: // dynamic import() rejects bare drive-letter paths (e.g. C:\...). L120: // Leave node: specifiers, relative paths, and URLs unchanged.
Medium
Dynamic Require

Package source references dynamic require/import behavior.

src/core/plugin/registry.tsView on unpkg · L118
src/core/soul/embedder.tsView file
111L112: private embedOne(text: string): number[] { L113: const vec = new Array<number>(this.dim).fill(0);
Low
Weak Crypto

Package source references weak cryptographic algorithms.

src/core/soul/embedder.tsView on unpkg · L111
bin/talon.jsView file
1package = talon-agent; repositoryIdentity = talon; dependency = tsx L1: #!/usr/bin/env node L2: import("tsx").then(() => import("../src/cli.ts")).catch((err) => { L3: console.error("Failed to start Talon:", err.message);
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

bin/talon.jsView on unpkg · L1
src/frontend/discord/formatting.tsView file
74contains invisible/control Unicode U+200B (zero width space) return text.replace(/```/g, "`<U+200B>``");
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

src/frontend/discord/formatting.tsView on unpkg · L74
src/core/engine/gateway-actions/native.tsView file
matchType = previous_version_dangerous_delta matchedPackage = talon-agent@1.33.0 matchedIdentity = npm:dGFsb24tYWdlbnQ:1.33.0 similarity = 0.867 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/core/engine/gateway-actions/native.tsView on unpkg

Findings

1 Critical2 High4 Medium5 Low
CriticalTrojan Source Unicodesrc/frontend/discord/formatting.ts
HighCopied Package Dependency Bridgebin/talon.js
HighPrevious Version Dangerous Deltasrc/core/engine/gateway-actions/native.ts
MediumDynamic Requiresrc/core/plugin/registry.ts
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptosrc/core/soul/embedder.ts
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings