registry  /  yatfa  /  1.0.95

yatfa@1.0.95

YATFA - Yet Another Tool For Agents

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
User invokes `npx yatfa` or builds/runs the documented agent container setup.
Impact
A compromised remote object-store/npm payload can execute in the agent container and influence Claude/MCP behavior; the explicit updater command can install a user-level persistent service.
Mechanism
Remote payload execution plus AI-agent configuration and persistence setup.
Rationale
No install-time malware chain is present, so blocking is not justified. The explicit setup path nevertheless enables remote code execution and broad AI-agent control-surface changes, warranting a warning.
Evidence
package.jsonbin/run-yatfa-agent.rbbin/install-agent.shsetup/setup-agent.rbsetup/agent_bridge.rbsetup/claude_settings.rblib/yatfa_agent/installer.rb.mcp.json~/.claude.json~/.config/systemd/user/yatfa-update-agents.service~/Library/LaunchAgents/com.yatfa.yatfa-update-agents.plist
Network endpoints3
registry.npmjs.org/yatfa/latestobjectstore.fra1.civo.com/yatfa/${YATFA_VERSION}raw.githubusercontent.com/${github_repo}/main/${skill_path}

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `bin/run-yatfa-agent.rb` auto-fetches latest npm metadata, deletes cached package copies, then re-execs `npx yatfa@latest`.
  • `bin/install-agent.sh` creates `/usr/local/bin/setup-agent`, which downloads a remote manifest and Ruby files then executes `setup-agent.rb`.
  • `setup/agent_bridge.rb` downloads an architecture-specific `agent-bridge` executable from the object store and marks it executable.
  • `setup/claude_settings.rb` downloads remote hook scripts and writes Claude hook configuration.
  • `setup/setup-agent.rb` writes `.mcp.json` with an API key and creates a trusted, bypass-permissions Claude configuration.
Evidence against
  • `package.json` has no `preinstall`, `install`, `postinstall`, or other lifecycle hook.
  • Host/container mutation is reached through explicit CLI commands or generated Docker setup, not package installation.
  • Network API authentication uses supplied `YATFA_API_KEY`; no source path harvests arbitrary local credentials for unrelated exfiltration.
Behavioral surface
SourceNo risky source behavior triggered.
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 0 file(s), 0 B of source

Source & flagged code

1 flagged · loading source
bin/run-yatfa-agent.rbView file
path = bin/run-yatfa-agent.rb kind = build_helper sizeBytes = 5971 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

bin/run-yatfa-agent.rbView on unpkg

Findings

1 Medium1 Low
MediumShips Build Helperbin/run-yatfa-agent.rb
LowScripts Present