registry  /  talon-agent  /  1.38.0

talon-agent@1.38.0

Multi-frontend AI agent with full tool access, streaming, cron jobs, and plugin system

AI Security Review

scanned 3h ago · by lpm-firewall-ai

The runtime can execute operator-configured plugins, MCP subprocesses, and saved scripts under the Talon OS user. No install-time execution, covert payload, or unconsented foreign AI-agent control-surface mutation was established.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Operator configures plugins/MCP entries or invokes Talon script and agent functionality.
Impact
Configured content can run local commands and access credentials available to the Talon process.
Mechanism
Config-selected module import and local subprocess execution.
Rationale
The package is not concretely malicious, but it intentionally provides high-impact local code-execution capability in an AI-agent runtime. Flag as warn for dangerous dual-use behavior rather than block.
Evidence
package.jsonbin/talon.jssrc/util/config.tssrc/core/plugin/loader.tssrc/core/plugin/mcp.tssrc/core/scripts/runner.tssrc/backend/codex/auth.tssrc/index.tssrc/util/paths.ts

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `src/util/config.ts` accepts operator-defined plugin paths and MCP commands.
  • `src/core/plugin/loader.ts` dynamically imports configured plugin entrypoints.
  • `src/core/plugin/mcp.ts` launches configured MCP command/argument pairs.
  • `src/core/scripts/runner.ts` executes saved scripts through local interpreters.
  • `src/backend/codex/auth.ts` reads `~/.codex/auth.json` for Codex authentication.
Evidence against
  • `package.json` has no preinstall/install/postinstall lifecycle hook.
  • `bin/talon.js` only starts the explicit Talon CLI.
  • `src/util/paths.ts` stores Talon state under `~/.talon`.
  • No source write to `.claude`, `.codex`, `.cursor`, or other foreign agent configuration was found.
  • Observed network usage is configured frontend/backend functionality, not a covert exfiltration path.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 431 file(s), 2.50 MB of source, external domains: 127.0.0.1, adaptivecards.io, api.openai.com, api.telegram.org, discord.com, example.com, graph.microsoft.com, login.microsoftonline.com, maps.google.com, my.telegram.org, openrouter.ai, prod-xx.westus.logic.azure.com

Source & flagged code

4 flagged · loading source
src/core/plugin/registry.tsView file
118// Convert absolute filesystem paths to file:// URLs on Windows where L119: // dynamic import() rejects bare drive-letter paths (e.g. C:\...). L120: // Leave node: specifiers, relative paths, and URLs unchanged.
Medium
Dynamic Require

Package source references dynamic require/import behavior.

src/core/plugin/registry.tsView on unpkg · L118
src/core/soul/embedder.tsView file
111L112: private embedOne(text: string): number[] { L113: const vec = new Array<number>(this.dim).fill(0);
Low
Weak Crypto

Package source references weak cryptographic algorithms.

src/core/soul/embedder.tsView on unpkg · L111
bin/talon.jsView file
1package = talon-agent; repositoryIdentity = talon; dependency = tsx L1: #!/usr/bin/env node L2: import("tsx").then(() => import("../src/cli.ts")).catch((err) => { L3: console.error("Failed to start Talon:", err.message);
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

bin/talon.jsView on unpkg · L1
src/frontend/discord/formatting.tsView file
74contains invisible/control Unicode U+200B (zero width space) return text.replace(/```/g, "`<U+200B>``");
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

src/frontend/discord/formatting.tsView on unpkg · L74

Findings

1 Critical1 High4 Medium5 Low
CriticalTrojan Source Unicodesrc/frontend/discord/formatting.ts
HighCopied Package Dependency Bridgebin/talon.js
MediumDynamic Requiresrc/core/plugin/registry.ts
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptosrc/core/soul/embedder.ts
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings