registry  /  vegas-chat  /  2.10.0

vegas-chat@2.10.0

AI CLI Agent with built-in 9Router — REPL, multi-LLM, auto-fix loop, AI Router + Dashboard

AI Security Review

scanned 5h ago · by lpm-firewall-ai

No confirmed malicious install-time or import-time attack surface. Runtime capabilities are explicit features of an AI CLI, including optional Google OAuth discovery and user-configured MCP commands.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `vegas` and invokes `/google auth`, `/mcp add`, or agent tools.
Impact
Can access files, execute configured commands, and call selected providers only through user-facing runtime features.
Mechanism
Interactive AI-agent tool execution and optional OAuth/MCP configuration.
Rationale
The scanner conflates an AI CLI’s explicit agent/OAuth functionality with malicious behavior. Source inspection found no concrete unconsented payload, exfiltration path, destructive behavior, or foreign AI-agent control-surface mutation.
Evidence
package.jsondist/index.js~/.vegas/config.json~/.vegas/vegas.db~/.vegas/skills
Network endpoints3
oauth2.googleapis.com/tokenaccounts.google.com/o/oauth2/auth127.0.0.1

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • `dist/index.js` scans `client_secret_*.json` in Downloads when `/google auth` lacks configured credentials.
  • `dist/index.js` supports explicit `/mcp add <name> <command>` configuration and connects configured stdio MCP servers.
  • `dist/index.js` exposes package-owned file-write, edit, shell, and web-fetch agent tools.
Evidence against
  • `package.json` preinstall only checks Node major version; postinstall only chmods `dist/index.js`.
  • No lifecycle hook executes the bundled CLI, reads credentials, contacts a network endpoint, or writes external agent configuration.
  • Google file discovery is only reached by the user-invoked `/google auth` command.
  • The discovered OAuth credentials are used for documented Google OAuth/token endpoints, not a package-controlled collector.
  • MCP commands require explicit interactive `/mcp add` or configured `autoLoad`; no `.claude`, `.cursor`, or `.codex` mutation was found.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 1.38 MB of source, external domains: 127.0.0.1, 9router.com, accounts.google.com, ai-mass.org, aistudio.google.com, api-inference.huggingface.co, api.anthropic.com, api.antigravity.ai, api.athena-ai.org, api.blackbox.ai, api.cably.ai, api.cartesia.ai, api.cerebras.ai, api.chimeragpt.com, api.cloudflare.com, api.cohere.ai, api.deepinfra.com, api.deepseek.com, api.endpoints.anyscale.com, api.exa.ai, api.example.com, api.fal.ai, api.firecrawl.dev, api.fireworks.ai, api.flux.ai, api.g4f.ai, api.githubcopilot.com, api.giz.ai, api.goapi.ai, api.goose.ai, api.gptyun.com, api.gptzero.ai, api.groq.com, api.hyperbolic.xyz, api.inferix.io, api.infermatic.ai, api.jina.ai, api.kimi.ai, api.kiro.ai, api.kluster.ai, api.lepton.ai, api.longcat.ai, api.lumalabs.ai, api.lunaris.ai, api.lunary.ai, api.mancer.ai, api.minimax.chat, api.mistral.ai, api.modal.com, api.nebius.ai

Source & flagged code

8 flagged · loading source
package.jsonView file
scripts.preinstall = node -e "process.exit(process.version.slice(1).split('.')[0] < 18 ? 1 : 0)" || echo "vegas requires Node.js >= 18"
Critical
Red Install Lifecycle Script

Install-time lifecycle script matches a deterministic static-gate block pattern.

package.jsonView on unpkg
scripts.preinstall = node -e "process.exit(process.version.slice(1).split('.')[0] < 18 ? 1 : 0)" || echo "vegas requires Node.js >= 18"
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node -e "try{require('fs').chmodSync('dist/index.js',0o755)}catch(e){}"
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/index.jsView file
143. You might have more than one copy of React in the same app L15: See https://react.dev/link/invalid-hook-call for tips about how to debug and fix this problem.`),x}function Ye(){Ze.asyncTransitions--}function le(x){if(Yi===null)try{var Y=("requi... L16: `+j.replace(/^Error(:[^\n]*)?\n/,""))});return L.prototype=Object.create(w.prototype),L.prototype.constructor=L,L.prototype.toString=function(){return this.message===void 0?this.na... ... L22: `)s&&(o+=dT("")),o+=wF(c);else if(v===` L23: `){let T=[...c];DF(E.slice(Q+1),T),o+=_F(T),s&&(o+=dT(s))}Q+=v.length}return o}});import kf from"node:process";import{execFileSync as kF}from"node:child_process";import dE from"nod... L24: at`)?" (<anonymous>)":-1<f.stack.indexOf("@")?"@unknown:0:0":""}return`
Critical
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution with blocking evidence.

dist/index.jsView on unpkg · L14
14Trigger-reachable chain: manifest.bin -> dist/index.js L14: 3. You might have more than one copy of React in the same app L15: See https://react.dev/link/invalid-hook-call for tips about how to debug and fix this problem.`),x}function Ye(){Ze.asyncTransitions--}function le(x){if(Yi===null)try{var Y=("requi... L16: `+j.replace(/^Error(:[^\n]*)?\n/,""))});return L.prototype=Object.create(w.prototype),L.prototype.constructor=L,L.prototype.toString=function(){return this.message===void 0?this.na... ... L22: `)s&&(o+=dT("")),o+=wF(c);else if(v===` L23: `){let T=[...c];DF(E.slice(Q+1),T),o+=_F(T),s&&(o+=dT(s))}Q+=v.length}return o}});import kf from"node:process";import{execFileSync as kF}from"node:child_process";import dE from"nod... L24: at`)?" (<anonymous>)":-1<f.stack.indexOf("@")?"@unknown:0:0":""}return`
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.jsView on unpkg · L14
22`)s&&(o+=dT("")),o+=wF(c);else if(v===` L23: `){let T=[...c];DF(E.slice(Q+1),T),o+=_F(T),s&&(o+=dT(s))}Q+=v.length}return o}});import kf from"node:process";import{execFileSync as kF}from"node:child_process";import dE from"nod... L24: at`)?" (<anonymous>)":-1<f.stack.indexOf("@")?"@unknown:0:0":""}return`
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L22
143. You might have more than one copy of React in the same app L15: See https://react.dev/link/invalid-hook-call for tips about how to debug and fix this problem.`),x}function Ye(){Ze.asyncTransitions--}function le(x){if(Yi===null)try{var Y=("requi... L16: `+j.replace(/^Error(:[^\n]*)?\n/,""))});return L.prototype=Object.create(w.prototype),L.prototype.constructor=L,L.prototype.toString=function(){return this.message===void 0?this.na... ... L22: `)s&&(o+=dT("")),o+=wF(c);else if(v===` L23: `){let T=[...c];DF(E.slice(Q+1),T),o+=_F(T),s&&(o+=dT(s))}Q+=v.length}return o}});import kf from"node:process";import{execFileSync as kF}from"node:child_process";import dE from"nod... L24: at`)?" (<anonymous>)":-1<f.stack.indexOf("@")?"@unknown:0:0":""}return`
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.jsView on unpkg · L14
2#!/usr/bin/env node L3: var K6=Object.create;var _S=Object.defineProperty;var Y6=Object.getOwnPropertyDescriptor;var J6=Object.getOwnPropertyNames;var P6=Object.getPrototypeOf,V6=Object.prototype.hasOwnPr... L4:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.jsView on unpkg · L2

Findings

3 Critical3 High5 Medium6 Low
CriticalRed Install Lifecycle Scriptpackage.json
CriticalSame File Env Network Executiondist/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/index.js
HighCommand Output Exfiltrationdist/index.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings