registry  /  unbound-cli  /  1.10.0

unbound-cli@1.10.0

CLI tool for Unbound - AI Gateway management

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `unbound oacb apply` or `unbound discover`/onboarding discovery.
Impact
Fetched content executes with the caller's privileges; discovery may execute with root privileges when invoked via sudo.
Mechanism
User-invoked remote script or hook delivery with AI-agent configuration mutation.
Rationale
Inspected source supports a real, explicitly user-invoked dangerous capability but not malicious intent, exfiltration, or unconsented install-time control-surface changes. Warn rather than block.
Evidence
package.jsonsrc/index.jssrc/commands/oacb.jssrc/commands/discover.jssrc/utils.jssrc/update-check.js~/.claude/hooks~/.claude/settings.json~/.claude/settings.json.oacb-backup~/.codex/hooks~/.codex/config.toml~/.codex/oacb-meta.json
Network endpoints2
raw.githubusercontent.com/websentry-ai/oacbraw.githubusercontent.com/websentry-ai/coding-discovery-tool/refs/heads/main

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `src/commands/oacb.js` downloads executable hook scripts from a pinned GitHub ref and writes them to `~/.claude/hooks` or `~/.codex/hooks`.
  • `src/commands/oacb.js` merges remote baseline policy into `~/.claude/settings.json` or `~/.codex/config.toml`.
  • `src/commands/discover.js` downloads a script from an unpinned `main` URL and executes it with Bash or PowerShell.
  • The discovery flow can run under `sudo`, making fetched script execution higher impact.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall` lifecycle hook.
  • `src/index.js` only registers commands; no OACB/discovery action runs on import or npm installation.
  • OACB mutation requires explicit `unbound oacb apply`; it offers prompts, dry-run/preview, and blocking-tier warnings.
  • No inspected code showed covert credential harvesting, command-output exfiltration, or hidden persistence.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 29 file(s), 430 KB of source, external domains: api.acme.com, api.getunbound.ai, backend.acme.com, backend.getunbound.ai, custom.backend.com, docs.getunbound.ai, gateway.acme.com, gateway.getunbound.ai, github.com, raw.githubusercontent.com, registry.npmjs.org, www.python.org

Source & flagged code

5 flagged · loading source
src/toolHealth.jsView file
18const path = require('path'); L19: const { spawnSync } = require('child_process'); L20:
High
Child Process

Package source references child process execution.

src/toolHealth.jsView on unpkg · L18
18const path = require('path'); L19: const { spawnSync } = require('child_process'); L20: L21: const HOME = os.homedir(); L22: const GATEWAY_DEFAULT = 'https://api.getunbound.ai'; L23: // Anchored to the install root + binary name so a hypothetical neighbor ... L52: try { L53: return JSON.parse(text.replace(/^\uFEFF/, '')); // tolerate a UTF-8 BOM L54: } catch { ... L60: function rcFiles() { L61: if (process.platform === 'win32') return []; L62: if (process.platform === 'darwin') return ['~/.zprofile', '~/.bash_profile', '~/.zshrc', '~/.bashrc'];
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

src/toolHealth.jsView on unpkg · L18
src/commands/oacb.jsView file
5const os = require('node:os'); L6: const { spawnSync } = require('node:child_process'); L7: const TOML = require('@iarna/toml'); ... L13: L14: const OACB_RAW_BASE = 'https://raw.githubusercontent.com/websentry-ai/oacb'; L15: const OACB_PINNED_REF = 'v0.2.1'; ... L20: // Consent receipt path L21: const CONSENT_RECEIPT_PATH = path.join(os.homedir(), '.claude', 'oacb-consent.json'); L22: ... L71: try { await handleCheck(); } L72: catch (e) { output.error(e.message); process.exitCode = 1; } L73: });
Critical
Command Output Exfiltration

Source executes local commands and sends command output to an external endpoint.

src/commands/oacb.jsView on unpkg · L5
5Trigger-reachable chain: manifest.main -> src/index.js -> src/commands/oacb.js L5: const os = require('node:os'); L6: const { spawnSync } = require('node:child_process'); L7: const TOML = require('@iarna/toml'); ... L13: L14: const OACB_RAW_BASE = 'https://raw.githubusercontent.com/websentry-ai/oacb'; L15: const OACB_PINNED_REF = 'v0.2.1'; ... L20: // Consent receipt path L21: const CONSENT_RECEIPT_PATH = path.join(os.homedir(), '.claude', 'oacb-consent.json'); L22: ... L71: try { await handleCheck(); } L72: catch (e) { output.error(e.message); process.exitCode = 1; } L73: });
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

src/commands/oacb.jsView on unpkg · L5
scripts/verify-nuke-ubuntu.shView file
path = scripts/verify-nuke-ubuntu.sh kind = build_helper sizeBytes = 3399 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/verify-nuke-ubuntu.shView on unpkg

Findings

2 Critical3 High4 Medium4 Low
CriticalCommand Output Exfiltrationsrc/commands/oacb.js
CriticalTrigger Reachable Dangerous Capabilitysrc/commands/oacb.js
HighChild Processsrc/toolHealth.js
HighShell
HighSandbox Evasion Gated Capabilitysrc/toolHealth.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperscripts/verify-nuke-ubuntu.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings