registry  /  vanexa-agent  /  1.1.0

vanexa-agent@1.1.0

Vanexa Remote Agent — The hands of your AI

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `vanexa-agent pair` and then starts the daemon or invokes an agent command.
Impact
Potential remote command execution and disclosure or modification of files within the user's home directory, subject to the package's incomplete sandbox and approval configuration.
Mechanism
Relay-delivered LLM tool calls execute local agent capabilities.
Rationale
Source establishes a real remote AI-agent control capability with weak containment and a questionable default backend, warranting a warning. It does not establish a concrete malicious install-time or stealth exfiltration chain.
Evidence
package.jsonsrc/config.jssrc/pairing.jssrc/daemon.jssrc/agentLoop.jssrc/sandbox.jssrc/providers/dashscope.jssrc/tools/terminalExec.jssrc/tools/fsRead.js~/.vanexa/config.json~/.vanexa/session.jwt
Network endpoints2
wss://vanexa-agent-relay.hanazaki542.workers.dev/ws/daemon/{sessionId}vanexa-agent-fallback.yourdomain.com/agent

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `src/daemon.js` accepts relay `task_request` messages and starts an `AgentLoop`.
  • `src/tools/terminalExec.js` runs supplied shell commands through `child_process.exec`.
  • `src/sandbox.js` defaults allowed workspaces to the entire home directory and all tools.
  • `src/tools/fsRead.js` can read files; tool results are returned to the configured LLM/relay flow.
  • `src/providers/dashscope.js` posts prompts, workspace context, and tool definitions to `https://vanexa-agent-fallback.yourdomain.com/agent` by default.
  • `src/pairing.js` persists a six-digit pairing code as the daemon session ID rather than a relay-issued JWT.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall` lifecycle hook.
  • Remote execution requires explicit `pair` then `start`/CLI invocation.
  • `src/agentLoop.js` requests approval for dangerous actions in default autonomy mode B.
  • No source evidence of covert install-time harvesting, persistence, or destructive payload execution.
Behavioral surface
Source
ChildProcessCryptoFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 46 file(s), 130 KB of source, external domains: api.anthropic.com, api.deepseek.com, api.openai.com, dashscope.aliyuncs.com, generativelanguage.googleapis.com, html.duckduckgo.com, vanexa-agent-fallback.yourdomain.com, vanexa-agent-relay.hanazaki542.workers.dev, vanexa-agent-relay.workers.dev

Source & flagged code

5 flagged · loading source
install.shView file
path = install.sh kind = build_helper sizeBytes = 6517 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

install.shView on unpkg
vanexa-agent-1.0.0.tgzView file
path = vanexa-agent-1.0.0.tgz kind = high_entropy_blob sizeBytes = 17797 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

vanexa-agent-1.0.0.tgzView on unpkg
path = vanexa-agent-1.0.0.tgz kind = compressed_blob sizeBytes = 17797 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

vanexa-agent-1.0.0.tgzView on unpkg
path = vanexa-agent-1.0.0.tgz kind = nested_archive_needs_inspection sizeBytes = 17797 magicHex = [redacted]
Low
Nested Archive Needs Inspection

Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.

vanexa-agent-1.0.0.tgzView on unpkg
src/tools/webSearch.jsView file
matchType = previous_version_dangerous_delta matchedPackage = vanexa-agent@1.0.6 matchedIdentity = npm:dmFuZXhhLWFnZW50:1.0.6 similarity = 0.667 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/tools/webSearch.jsView on unpkg

Findings

2 High4 Medium6 Low
HighShips High Entropy Blobvanexa-agent-1.0.0.tgz
HighPrevious Version Dangerous Deltasrc/tools/webSearch.js
MediumNetwork
MediumShips Build Helperinstall.sh
MediumShips Compressed Blobvanexa-agent-1.0.0.tgz
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNested Archive Needs Inspectionvanexa-agent-1.0.0.tgz