AI Security Review
scanned 10d ago · by lpm-firewall-aiNo confirmed malicious install-time or import-time attack surface. The package is an AI CLI agent with user-invoked shell, file, web, and LLM-provider tools.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs vegas CLI and grants prompts/tool calls during chat
Impact
Can execute commands and modify files during intended CLI use, but no unconsented package-install behavior was found
Mechanism
interactive AI agent tools
Rationale
Static inspection shows risky agent capabilities, but they are the advertised runtime functionality and are not triggered by install or import. The lifecycle scripts are benign version/check permission maintenance, with no credential harvesting, persistence, exfiltration, or AI-agent control-surface mutation found.
Evidence
package.jsondist/index.jsdist/repl.jsdist/tools/bash.jsdist/tools/write.jsdist/tools/edit.jsdist/provider/registry.jsdist/config.js~/.vegas/config.json~/.vegas/vegas.db~/.vegas/skills/*.md
Network endpoints12
api.openai.com/v1api.anthropic.com/v1/messagesgenerativelanguage.googleapis.com/v1betaopencode.ai/zen/v1google.serper.dev/searchapi.groq.com/openai/v1api.deepseek.com/v1openrouter.ai/api/v1api.together.xyz/v1api.x.ai/v1api.mistral.ai/v1localhost:20128/v1
Decision evidence
public snapshotAI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
- dist/tools/bash.js exposes an LLM-callable execSync shell tool at runtime.
- dist/tools/write.js and dist/tools/edit.js can write arbitrary user-specified paths when invoked in chat.
- dist/config.js stores API keys in ~/.vegas/config.json for the CLI's providers.
Evidence against
- package.json preinstall only checks Node major version; postinstall only chmods dist/index.js.
- dist/index.js only starts the interactive REPL; no import-time exfiltration or payload fetch found.
- Network calls are package-aligned LLM/search providers in dist/provider/* and dist/tools/webSearch.js.
- No lifecycle script writes AI-agent control files or alters project instructions.
- Filesystem writes are CLI features, user/LLM-invoked after running the vegas binary.
Behavioral surface
ChildProcessCryptoFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading sourcepackage.jsonView file
•scripts.preinstall = node -e "process.exit(process.version.slice(1).split('.')[0] < 18 ? 1 : 0)" || echo "vegas requires Node.js >= 18"
Critical
Red Install Lifecycle Script
Install-time lifecycle script matches a deterministic static-gate block pattern.
package.jsonView on unpkg•scripts.preinstall = node -e "process.exit(process.version.slice(1).split('.')[0] < 18 ? 1 : 0)" || echo "vegas requires Node.js >= 18"
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node -e "try{require('fs').chmodSync('dist/index.js',0o755)}catch(e){}"
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 Critical1 High3 Medium5 Low
CriticalRed Install Lifecycle Scriptpackage.json
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings