registry  /  toolnexus  /  0.2.0

toolnexus@0.2.0

Dynamic MCP servers + agent skills as uniform tools for any LLM (opencode-style).

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
A host creates a Toolkit without disabling builtins and runs the Client agent loop.
Impact
A compromised or prompt-injected model can perform actions with the host process permissions.
Mechanism
LLM-directed tool execution with shell, filesystem, and network primitives.
Rationale
Source inspection finds no concrete malicious behavior, but the default agent loop grants broad shell, filesystem, and network capabilities to model-directed calls without an in-package approval boundary. Treat as a dangerous capability requiring caller-side containment rather than a malware block.
Evidence
package.jsonsrc/toolkit.tssrc/builtin.tssrc/client.tssrc/http.tssrc/mcp.tssrc/a2a.tssrc/native.tssrc/serve.tsdist/builtin.jsdist/client.js

Decision evidence

public snapshot
AI called this Suspicious at 93.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `Toolkit.create()` enables built-in tools by default.
  • `src/builtin.ts` exposes shell execution, file writes/deletes, and web fetch tools.
  • `src/client.ts` automatically executes model-requested tools in its agent loop.
  • `src/http.ts` expands configured environment variables into outbound request headers.
Evidence against
  • `package.json` has no preinstall, install, or postinstall hook.
  • No hard-coded third-party endpoint, credential harvesting, or covert exfiltration was found.
  • Imports only export library modules; no import-time execution was found.
  • No binaries, eval/vm use, persistence hook, or AI-agent configuration mutation was found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 24 file(s), 190 KB of source

Source & flagged code

3 flagged · loading source
src/builtin.tsView file
Published source reference
Medium
Ai Review Evidence

`src/builtin.ts` exposes shell execution, file writes/deletes, and web fetch tools.

src/builtin.tsView on unpkg
src/client.tsView file
Published source reference
Medium
Ai Review Evidence

`src/client.ts` automatically executes model-requested tools in its agent loop.

src/client.tsView on unpkg
src/http.tsView file
Published source reference
Medium
Ai Review Evidence

`src/http.ts` expands configured environment variables into outbound request headers.

src/http.tsView on unpkg

Findings

6 Medium3 Low
MediumNetwork
MediumEnvironment Vars
MediumAi Review Evidence
MediumAi Review Evidencesrc/builtin.ts
MediumAi Review Evidencesrc/client.ts
MediumAi Review Evidencesrc/http.ts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings