registry  /  vegas-chat  /  2.11.0

vegas-chat@2.11.0

AI CLI Agent with built-in 9Router — REPL, multi-LLM, auto-fix loop, AI Router + Dashboard

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Running the vegas CLI and issuing agent, /mcp, or /google commands
Impact
A user may authorize or direct project changes, command execution, MCP connections, and API requests.
Mechanism
User-directed shell/filesystem tools and configured provider/OAuth requests
Rationale
Direct inspection does not substantiate the scanner's malicious install-time/exfiltration claim: lifecycle hooks are a Node-version check and chmod only. The package remains warn-worthy because its interactive AI-agent surface exposes powerful local execution and credential-handling capabilities.
Evidence
package.jsondist/index.js~/.vegas/config.json
Network endpoints4
api.openai.com/v1api.anthropic.com/v1accounts.google.com/o/oauth2/authoauth2.googleapis.com/token

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • dist/index.js exposes agent tools that read, write, and execute user-project commands.
  • dist/index.js /google auth scans download folders for client_secret_*.json after explicit command.
  • dist/index.js supports user-command MCP server configuration with arbitrary stdio command.
  • dist/index.js sends configured chat/OAuth requests to third-party provider APIs.
Evidence against
  • package.json preinstall only checks the Node major version.
  • package.json postinstall only chmods dist/index.js.
  • No install hook invokes network, credential collection, or foreign agent-config mutation.
  • Google credential import and OAuth flows are reachable through explicit /google commands.
  • No concrete source path sends harvested local credentials to an unrelated endpoint.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 1.38 MB of source, external domains: 127.0.0.1, 9router.com, accounts.google.com, ai-mass.org, aistudio.google.com, api-inference.huggingface.co, api.anthropic.com, api.antigravity.ai, api.athena-ai.org, api.blackbox.ai, api.cably.ai, api.cartesia.ai, api.cerebras.ai, api.chimeragpt.com, api.cloudflare.com, api.cohere.ai, api.deepinfra.com, api.deepseek.com, api.endpoints.anyscale.com, api.exa.ai, api.example.com, api.fal.ai, api.firecrawl.dev, api.fireworks.ai, api.flux.ai, api.g4f.ai, api.githubcopilot.com, api.giz.ai, api.goapi.ai, api.goose.ai, api.gptyun.com, api.gptzero.ai, api.groq.com, api.hyperbolic.xyz, api.inferix.io, api.infermatic.ai, api.jina.ai, api.kimi.ai, api.kiro.ai, api.kluster.ai, api.lepton.ai, api.longcat.ai, api.lumalabs.ai, api.lunaris.ai, api.lunary.ai, api.mancer.ai, api.minimax.chat, api.mistral.ai, api.modal.com, api.nebius.ai

Source & flagged code

8 flagged · loading source
package.jsonView file
scripts.preinstall = node -e "process.exit(process.version.slice(1).split('.')[0] < 18 ? 1 : 0)" || echo "vegas requires Node.js >= 18"
Critical
Red Install Lifecycle Script

Install-time lifecycle script matches a deterministic static-gate block pattern.

package.jsonView on unpkg
scripts.preinstall = node -e "process.exit(process.version.slice(1).split('.')[0] < 18 ? 1 : 0)" || echo "vegas requires Node.js >= 18"
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node -e "try{require('fs').chmodSync('dist/index.js',0o755)}catch(e){}"
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/index.jsView file
143. You might have more than one copy of React in the same app L15: See https://react.dev/link/invalid-hook-call for tips about how to debug and fix this problem.`),x}function Pe(){Xe.asyncTransitions--}function ve(x){if(Ji===null)try{var K=("requi... L16: `+F.replace(/^Error(:[^\n]*)?\n/,""))});return U.prototype=Object.create(w.prototype),U.prototype.constructor=U,U.prototype.toString=function(){return this.message===void 0?this.na... ... L22: `)s&&(o+=mT("")),o+=LF(c);else if(Q===` L23: `){let _=[...c];UF(E.slice(v+1),_),o+=HF(_),s&&(o+=mT(s))}v+=Q.length}return o}});import Lf from"node:process";import{execFileSync as qF}from"node:child_process";import mE from"nod... L24: at`)?" (<anonymous>)":-1<f.stack.indexOf("@")?"@unknown:0:0":""}return`
Critical
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution with blocking evidence.

dist/index.jsView on unpkg · L14
14Trigger-reachable chain: manifest.bin -> dist/index.js L14: 3. You might have more than one copy of React in the same app L15: See https://react.dev/link/invalid-hook-call for tips about how to debug and fix this problem.`),x}function Pe(){Xe.asyncTransitions--}function ve(x){if(Ji===null)try{var K=("requi... L16: `+F.replace(/^Error(:[^\n]*)?\n/,""))});return U.prototype=Object.create(w.prototype),U.prototype.constructor=U,U.prototype.toString=function(){return this.message===void 0?this.na... ... L22: `)s&&(o+=mT("")),o+=LF(c);else if(Q===` L23: `){let _=[...c];UF(E.slice(v+1),_),o+=HF(_),s&&(o+=mT(s))}v+=Q.length}return o}});import Lf from"node:process";import{execFileSync as qF}from"node:child_process";import mE from"nod... L24: at`)?" (<anonymous>)":-1<f.stack.indexOf("@")?"@unknown:0:0":""}return`
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.jsView on unpkg · L14
22`)s&&(o+=mT("")),o+=LF(c);else if(Q===` L23: `){let _=[...c];UF(E.slice(v+1),_),o+=HF(_),s&&(o+=mT(s))}v+=Q.length}return o}});import Lf from"node:process";import{execFileSync as qF}from"node:child_process";import mE from"nod... L24: at`)?" (<anonymous>)":-1<f.stack.indexOf("@")?"@unknown:0:0":""}return`
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L22
143. You might have more than one copy of React in the same app L15: See https://react.dev/link/invalid-hook-call for tips about how to debug and fix this problem.`),x}function Pe(){Xe.asyncTransitions--}function ve(x){if(Ji===null)try{var K=("requi... L16: `+F.replace(/^Error(:[^\n]*)?\n/,""))});return U.prototype=Object.create(w.prototype),U.prototype.constructor=U,U.prototype.toString=function(){return this.message===void 0?this.na... ... L22: `)s&&(o+=mT("")),o+=LF(c);else if(Q===` L23: `){let _=[...c];UF(E.slice(v+1),_),o+=HF(_),s&&(o+=mT(s))}v+=Q.length}return o}});import Lf from"node:process";import{execFileSync as qF}from"node:child_process";import mE from"nod... L24: at`)?" (<anonymous>)":-1<f.stack.indexOf("@")?"@unknown:0:0":""}return`
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.jsView on unpkg · L14
2#!/usr/bin/env node L3: var $6=Object.create;var MS=Object.defineProperty;var e9=Object.getOwnPropertyDescriptor;var t9=Object.getOwnPropertyNames;var n9=Object.getPrototypeOf,r9=Object.prototype.hasOwnPr... L4:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.jsView on unpkg · L2

Findings

3 Critical3 High5 Medium6 Low
CriticalRed Install Lifecycle Scriptpackage.json
CriticalSame File Env Network Executiondist/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/index.js
HighCommand Output Exfiltrationdist/index.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings