BACK TO SEARCH
goondocks-co/open-agent-kitcritical
| Maintenance Mode | OAK automatically captures the plans, decisions, and trade-offs that usually vanish. Intelligence powered memories, context injection, autonomous agents, and more.
Open Agent Kit (OAK) captures development plans, decisions, and context to provide memory and context injection for AI coding agents, enabling autonom...
purpose: Open Agent Kit (OAK) captures development plans, dthreat: network exposed
RISK SCORE
0/ 100 risk
high findings+75
medium findings+45
capped at100
VULNERABILITY ANALYSIS · 6 findings in 6 blocks3 HIGH · 3 MEDIUM
HIGH1 finding
src/open_agent_kit/features/swarm/daemon/server.py:140
140 app.include_router(restart.router)src/open_agent_kit/features/swarm/daemon/server.py:35
// Network-exposed MCP; requires valid agent token but no additional authorization for destructive actions.
EXPLAINThe `restart` tool is exposed via the MCP interface and allows restarting the daemon. While the daemon has token authentication middleware, the restart endpoint itself may not require additional authorization beyond the MCP agent token. If an attacker gains access to the MCP endpoint (e.g., via prompt injection or network exposure), they can restart the daemon, causing denial of service or disrupting swarm operations.
IMPACTAn attacker could repeatedly restart the daemon, causing denial of service or disrupting ongoing indexing and swarm coordination.
FIXAdd additional authorization checks for destructive operations like restart, or require a separate confirmation step. Consider rate-limiting restart requests.
HIGH1 finding
src/open_agent_kit/commands/ci/index.py:163
163 try:
164 subprocess.run(["uv", "--version"], capture_output=True, check=True)
165 install_cmd = ["uv", "pip", "install"]
166 except (subprocess.CalledProcessError, FileNotFoundError):
167 install_cmd = [sys.executable, "-m", "pip", "install"]
168
169 try:
170 cmd = install_cmd + packages_to_install
171 console.print(f" Running: {' '.join(cmd)}", style="dim")
172 subprocess.run(cmd, check=True, capture_output=True, text=True)src/open_agent_kit/commands/ci/index.py:3
// Exploitable only if MCP is exposed to untrusted prompts or if an attacker can influence the package list via configuration.
EXPLAINThe `ci_index` command constructs a pip install command from `packages_to_install`, which is derived from `TREE_SITTER_PACKAGES` values. While the keys are hardcoded, the values (pip package names) could be manipulated if an attacker can modify the source code or configuration. However, the real issue is that the command is executed without sanitization of package names, and if any external input influences the package list (e.g., via a compromised config), arbitrary packages could be installed. Additionally, the `ci_install_parsers` command is exposed as an MCP tool, and an attacker controlling the LLM prompt could trigger this command with crafted arguments (e.g., `--all` or auto-detection) leading to execution of arbitrary pip commands. The `packages_to_install` list is built from `TREE_SITTER_PACKAGES` which is a static dict, so direct injection is limited, but the subprocess call itself is a vector if the dict is ever modified or if the command is extended.
IMPACTAn attacker could execute arbitrary shell commands via pip install arguments, potentially installing malicious packages or executing code during package installation (e.g., via setup.py).
FIXAvoid using subprocess to install packages. Use a Python API like `pip._internal.main` or `importlib.metadata` for package management. If subprocess is necessary, validate that package names match a strict pattern (e.g., only alphanumeric and hyphens).
HIGH1 finding
src/open_agent_kit/features/swarm/daemon/server.py:141
141 app.include_router(config.router)src/open_agent_kit/features/swarm/daemon/server.py:28
// Network-exposed MCP; requires valid agent token but no restrictions on config changes.
EXPLAINThe `config` tool allows getting and setting daemon configuration (e.g., log level). While this is within the intended purpose, the ability to change configuration at runtime could be abused to lower security settings, change log levels to hide malicious activity, or modify other sensitive parameters. The tool does not appear to restrict which configuration keys can be modified.
IMPACTAn attacker could modify daemon configuration to reduce logging, change authentication settings, or alter behavior in ways that facilitate further attacks.
FIXRestrict which configuration keys can be modified via the config tool. Implement a whitelist of allowed keys and validate input values.
MEDIUM1 finding
src/open_agent_kit/features/swarm/worker_template/src/index.ts:156
156 if (path === "/api/swarm/agent-token" && request.method === "GET") {
157 const authErr = validateSwarmToken(request, env);
158 if (authErr) return withCors(authErr, request);
159 return withCors(
160 Response.json({ agent_token: env.AGENT_TOKEN }),
161 request,
162 );
163 }src/open_agent_kit/features/swarm/worker_template/src/index.ts:18
// Network-exposed; requires swarm token authentication, but swarm token may be shared or compromised.
EXPLAINThe `/api/swarm/agent-token` endpoint returns the `AGENT_TOKEN` environment variable in plaintext. While it requires swarm token authentication, any user with a valid swarm token can retrieve the agent token. This agent token is used for MCP authentication, and its exposure could allow unauthorized access to the MCP endpoint.
IMPACTAn attacker with a valid swarm token can obtain the agent token and use it to call MCP tools, potentially performing unauthorized actions.
FIXRemove this endpoint or restrict access to only authorized administrators. Consider using short-lived tokens or additional authentication.
MEDIUM1 finding
src/open_agent_kit/features/swarm/worker_template/src/index.ts:100
100 if (path === "/api/swarm/search" && request.method === "POST") {
101 const authErr = validateSwarmToken(request, env);
102 if (authErr) return withCors(authErr, request);
103 const doStub = getDurableObject(env);
104 return withCors(await doStub.fetch(request), request);
105 }src/open_agent_kit/features/swarm/worker_template/src/index.ts:19
// Network-exposed; requires swarm token authentication but no input validation on search queries.
EXPLAINThe search endpoint forwards the entire request to the Durable Object without validating the query parameters. If the search tool accepts arbitrary input, it could be used to perform injection attacks against the underlying search implementation (e.g., SQL injection if using SQLite, or NoSQL injection). The code does not show any input sanitization before passing to the DO.
IMPACTAn attacker could craft malicious search queries to extract unintended data, bypass access controls, or cause denial of service.
FIXValidate and sanitize search query parameters before forwarding to the Durable Object. Implement strict input validation and parameterized queries.
MEDIUM1 finding
src/open_agent_kit/features/swarm/worker_template/src/index.ts:108
108 if (path === "/api/swarm/fetch" && request.method === "POST") {
109 const authErr = validateSwarmToken(request, env);
110 if (authErr) return withCors(authErr, request);
111 const doStub = getDurableObject(env);
112 return withCors(await doStub.fetch(request), request);
113 }src/open_agent_kit/features/swarm/worker_template/src/index.ts:19
// Network-exposed; requires swarm token authentication but no input validation on item IDs.
EXPLAINThe fetch endpoint forwards the entire request to the Durable Object without validating the item IDs. If the fetch tool is used to retrieve items by ID, an attacker could provide crafted IDs to access items outside their intended scope (e.g., path traversal in IDs, or accessing other teams' data).
IMPACTAn attacker could fetch arbitrary items from the swarm, potentially accessing sensitive data from other teams or unauthorized resources.
FIXValidate that item IDs conform to expected patterns (e.g., UUID format) and enforce access controls per team.
◷ 5/21/2026
Findings are produced by automated LLM analysis and may include false positives or miss issues. Verify independently before acting.