@framers/agentos — Greenflagged

Modular AgentOS orchestration library

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

manicteamjdunnfive

Keywords

agentosframers-agentosai-agentsai-agent-frameworkai-agent-runtimeautonomous-agentsagent-frameworkagentic-aimulti-agentmulti-agent-orchestrationagent-graphagent-graph-orchestrationcognitive-memorycognitive-pipelinememory-routerebbinghaus-decayragmultimodal-ragvector-searchguardrailsai-guardrailsvoice-pipelinespeech-to-texttext-to-speechtool-usetool-generationruntime-tool-generationspecialist-spawninghexacopersonalityemergent-behaviorllmllm-orchestrationopenaianthropicclaudegpttypescriptnodejsopen-sourceapache-2.0framersframe-devlong-term-memoryagent-memoryai-agent-memorytool-forginglongmemeval

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	net-exec-file:dist/emergent/SandboxedToolForge.js	AI (source-diff): SandboxedToolForge is a documented sandboxing utility; net+exec combination is intentional and security-hardened.	ai	2026/05/19
source-diff	net-exec-file:dist/emergent/SandboxedToolForge.d.ts	AI (source-diff): Type declaration file for SandboxedToolForge; same rationale as the .js file — intentional sandbox design.	ai	2026/05/19
dependencies	unvetted-peer-dep:hnswlib-node	AI (dependencies): Peer dependency for optional vector search functionality; consumers control inclusion and vetting.	ai	2026/04/26
dependencies	unvetted-peer-dep:ppu-paddle-ocr	AI (dependencies): Peer dependency for optional OCR functionality; consumers control inclusion and vetting.	ai	2026/04/26
dependencies	unvetted-peer-dep:@framers/sql-storage-adapter	AI (dependencies): Peer dependency for optional SQL storage; marked optional in peerDependenciesMeta; consumers control inclusion.	ai	2026/04/26
source-diff	large-new-source-files	AI (source-diff): Package is an AI orchestration library with many optional modules; large source file additions are expected with minor version bumps as new capabilities are added.	ai	2026/04/25
bogus-package	bogus-package	AI (bogus-package): Legitimate orchestration library with active maintenance (263 versions, 5.7k weekly downloads). Spam signals are weak metadata heuristics; no malware indicators present.	ai	2026/04/25
dependencies	unvetted-dep:natural	AI (dependencies): natural is a well-established NLP library; its use is consistent with this package's NLP/orchestration purpose and poses no security risk.	ai	2026/04/25
phantom-deps	phantom-dep:openredaction	AI (phantom-deps): openredaction is declared in dependencies and referenced in config; phantom-dep flag is a minor packaging concern, not a security issue for this package.	ai	2026/04/25
provenance	no-provenance	AI (provenance): Established package with 263 versions and 5.7k weekly downloads; lack of provenance is common and not a security disqualifier for this package.	ai	2026/04/24