registry  /  telos-origin  /  1.0.14

telos-origin@1.0.14

An APInt Portal Which Loads Plugins from an Environmental APInt into a Bus Net.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

The CLI is a plugin/APInt loader with an explicit install/uninstall command path that can run command strings supplied by loaded APInt packages. It also self-installs only after an explicit CLI/import invocation in a project that does not declare the package. No install-time hook or concrete exfiltration path is present.

Static reason
One or more suspicious static signals were detected.
Trigger
Run the `telos-origin` CLI with `-e install` or `-e uninstall` and an APInt package defining script utilities; alternatively invoke the entrypoint outside a project declaring `telos-origin`.
Impact
A user loading an untrusted APInt can cause arbitrary local commands to run in that user’s environment; this package itself does not contain a concrete malicious payload.
Mechanism
Runtime APInt module loading and command execution from APInt metadata.
Rationale
Static inspection confirms a real arbitrary-command execution surface for explicitly loaded APInt content, but not a concrete malicious chain attributable to telos-origin@1.0.14. The scanner’s environment-variable signal is configuration propagation rather than harvesting.
Evidence
package.jsontelosOrigin.jstelosOrigin.jsontelosDefaults.jstelosUtils.jsAPInt.json

Decision evidence

public snapshot
AI called this Suspicious at 87.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `telosOrigin.js` runs `npm install telos-origin` when its CLI is invoked outside a project listing it as a dependency.
  • `telosOrigin.js` dynamically loads APInt module content/sources selected from runtime configuration.
  • `telosDefaults.js` executes `script-install` and `script-uninstall` command strings from loaded APInt packages.
  • `telosDefaults.js` writes the caller project’s `APInt.json` during explicit install/uninstall/set commands.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
  • No package source contains credential harvesting, HTTP client usage, or a concrete external network endpoint.
  • The shell execution is tied to explicit `telos-origin -e install`/`uninstall` operations and APInt-provided scripts.
  • The bundled `telosOrigin.json` loads only the package-owned `telosDefaults.js` module.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemShell
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 9.96 KB of source

Source & flagged code

2 flagged · loading source
telosOrigin.jsView file
16if(!getLocalPackages().includes("telos-origin")) L17: require("child_process").execSync("npm install telos-origin"); L18:
High
Child Process

Package source references child process execution.

telosOrigin.jsView on unpkg · L16
16if(!getLocalPackages().includes("telos-origin")) L17: require("child_process").execSync("npm install telos-origin"); L18:
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

telosOrigin.jsView on unpkg · L16

Findings

3 High1 Medium1 Low
HighChild ProcesstelosOrigin.js
HighShell
HighRuntime Package InstalltelosOrigin.js
MediumEnvironment Vars
LowFilesystem