Even without privilege escalation a feel like this is a big security risk. I can't imagine having dozens of servers bound to a web service, with a user interface accessible from anywhere with a simple login and password. and from that interface you can add any number of arbitrary command.

I've created the account, copy the command, pasted in a terminal but I just couldn't hit enter... and that is in my home computer. I downloaded the link and the target manually, just checkout the content.

We wanted to make your job easy and hence provided a one-line installation command. You can always know what's happening.

1. Agent installation script is available at https://agent.sealion.com. Feel free to check it out.

2. We create a non-privileged user using the above script. Hence, we cannot run privileged commands without your permission.

3. The data logged is solely for your usage. The data is stored in secure Amazon servers. Will improve the privacy policy.

4. BTW, we are thinking of providing installer packages and also release the agent code under an open source license to alleviate your concerns.

This isn't about the installer. It's about allowing arbitrary commands to be executed as specified by the API.

Specifically, lib/authentication.js receives a new command, passes it to addActivity in lib/execute_services.js, which schedules it to `exec` periodically (the period is defined by the API response) via ExecuteCommand.executeCommand.

As for the user that the sealion-agent is run as, it's started as root, then setuid'ed to the sealion user in index.js, so any update can undo the setuid and allow full root access.

Basically, by installing sealion-agent, I have given you, all of your current employees and of your future employees (both in CA and India) full access to the server.

No offense, but I don't trust you that much.

Not to mention, it means that Sealion is one admin account compromise away from losing the keys to a ready-made botnet.