The codeMode tool in src/praisonai-ts/src/tools/builtins/code-mode.ts uses new Function() with a with(sandbox) pattern to execute LLM-generated code. The blocklist-based "sandbox" can be trivially bypassed via Function('return this')() to recover the global object, followed by global.require() with string concatenation to evade the blocklist regex. This allows full arbitrary code execution on the host system. This affects all deployments where the code-mode tool is enabled for agents.
The published npm package praisonai ships dist/tools/utility-tools.js, which exports a shell(command) helper described in source as: Execute shell command (safe version - read-only commands) The helper attempts to enforce a safe read-only command allowlist by checking only the first whitespace-delimited token: const safeCommands = ['ls', 'cat', 'head', 'tail', 'wc', 'grep', 'find', 'echo', 'date', 'pwd', 'which']; const firstWord = command.split(/\s+/)[0]; if (!safeCommands.includes(firstWord)) { return { success: false, error: `Command not allowed: …
The published npm package praisonai exports a TypeScript SandboxExecutor with a network-isolated mode. The CLI lists that mode as: network-isolated No network access (proxy blocked) The implementation does not create a network namespace, firewall rule, socket filter, or proxy-enforced execution boundary. It only injects proxy environment variables into the child process: http_proxy: 'http://localhost:0', https_proxy: 'http://localhost:0', HTTP_PROXY: 'http://localhost:0', HTTPS_PROXY: 'http://localhost:0', no_proxy: '', NO_PROXY: '' Clients that do not explicitly honor those …
The published npm package praisonai exports SandboxExecutor, CommandValidator, and sandboxExec as "safe command execution with restrictions." When allowedCommands is configured, CommandValidator checks only the first whitespace-delimited token of the command string. SandboxExecutor then passes the entire original string to spawn("sh", ["-c", command]). With a policy that allows only echo, this direct command is correctly rejected: cat /tmp/marker but this chained command is accepted and executed: echo allowed; cat /tmp/marker The …
The published npm package praisonai exports a TypeScript MCPServer that can expose tools, resources, and prompts over an HTTP JSON-RPC transport with: await server.start({ port: 3000 }); The HTTP transport has no authentication or authorization path. MCPServerConfig does not expose an auth/security setting, startHttp() ignores the Authorization header, and every POST request is parsed and forwarded directly to handleRequest(). That request handler dispatches sensitive MCP methods such as tools/call, resources/read, …
The published npm package praisonai exports an MCPSecurity helper described in source as: MCP Security - Authentication, authorization, and rate limiting Provides security policies for MCP servers. Its AuthMethod type advertises five authentication methods: export type AuthMethod = 'none' | 'api-key' | 'bearer' | 'basic' | 'oauth'; The authentication-policy evaluator, however, only validates credentials for api-key and bearer: if (policy.auth.method === 'api-key' || policy.auth.method === 'bearer') { const valid = …
The published npm package praisonai exports a TypeScript built-in tool named codeMode. The package describes this tool as executing code in a sandboxed environment, marks its capability as sandbox: true, and registers it through the public tools facade. The implementation does not create an isolation boundary. It applies a small regular-expression blocklist, sets process and require to undefined inside a plain JavaScript object, and then executes attacker-controlled code with the …
The published npm package praisonai ships a TypeScript AgentOS HTTP server that defaults to host: "0.0.0.0" and registers sensitive agent routes without any authentication or authorization middleware. When a developer starts AgentOS, a network attacker who can reach the service can: read configured agent names, roles, and the first 100 characters of each agent's instructions through GET /api/agents; and invoke the selected agent through POST /api/chat without credentials. This is …
The published npm package praisonai exports createAgentLoop(), whose onToolCall callback is documented and exampled as an approval hook. The implementation calls PraisonAI's generateText() wrapper with the caller's executable tools first, receives toolResults, and only then calls onToolCall(). Because AI SDK generateText() executes tools with an execute function as part of the generation call, onToolCall can deny a tool only after the sensitive side effect has already happened. PraisonAI then returns …