
Research
/Security News
11 Malicious NuGet Tools Pose as Game Cheats to Drop a Windows Host-Surveillance Payload
11 malicious NuGet tools pose as game cheats to deploy Windows payloads, track hosts, and use Google Sheets for telemetry and control.
@filepad/agent-access-sdk
Advanced tools
Official SDK for connecting external agents to Filepad workspaces via Agent Access.
Official SDK for connecting external AI agents to Filepad workspaces via Agent Access.
Agent Access is Filepad's scoped API for external agents. It lets an outside agent:
artifacts/Agent Access does not let external agents directly mutate active workspace files, approve their own proposals, or execute automations.
npm install @filepad/agent-access-sdk
Requires Node.js 18+.
import { FilepadAgentClient } from '@filepad/agent-access-sdk';
const client = new FilepadAgentClient({
baseUrl: 'https://app.filepad.ai/api',
workspaceId: 'ws_xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx',
keyId: 'ik_xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx',
secret: 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx',
});
// Verify credentials
const { scopes } = await client.verifyCredentials();
console.log('Granted scopes:', scopes);
// Read environment
const env = await client.getEnvironment();
console.log('Folders:', env.folders.map(f => f.name));
// Search workspace
const search = await client.search('quarterly report', { type: 'keyword', limit: 5 });
console.log('Results:', search.results.length);
// Create artifact
const { artifact } = await client.createArtifact({
title: 'Agent Report',
text: '# Summary\n\nGenerated by external agent.',
});
console.log('Artifact:', artifact.id);
// Emit event
const { eventId } = await client.createEvent({
eventType: 'agent.task.completed',
payload: { artifactId: artifact.id },
});
console.log('Event:', eventId);
// Query visible signals
const signals = await client.getSignals({ status: 'suggested', limit: 10 });
console.log('Signals:', signals.signals.length);
if (signals.signals[0]) {
const signal = await client.getSignal(signals.signals[0].id);
console.log('Signal:', signal.findingTypeKey, signal.status);
}
// Read Filepad callbacks addressed to this integration
const mailbox = await client.getMailbox({ unreadOnly: true, limit: 20 });
console.log('Unread mailbox items:', mailbox.items.length);
if (mailbox.items.length > 0) {
await client.ackMailbox(mailbox.items.map(item => item.id));
}
// Read this key's agent home profile
const profile = await client.getAgentProfile();
console.log('Agent profile key:', profile.keyId);
Every request is signed with HMAC-SHA256 using your Agent Access key.
Create a key in Filepad:
The SDK handles signing automatically. You only need to provide keyId and secret to the client.
FilepadAgentClientverifyCredentials()Returns the integration key id, integration id, workspace id, and granted scopes.
getEnvironment()Returns workspace folders and their status.
getFileTree()Returns all visible files and folders.
getFile(fileNodeId)Reads a file by its node id.
getPrompts() / getMcpPrompts() / getMcpResources()Discover skills and resources.
search(query, options?)Search indexed workspace context.
createArtifact(params)Create a note artifact under artifacts/.
proposeEdit(params)Propose a reviewable edit to an allowed file.
createEvent(params)Emit an activity event.
createSignal(params)Create a signal (requires signals:write scope).
getSignals(filters?)Query visible workspace signals by type, severity, status, limit, or cursor. Requires env:read.
getSignal(signalId)Read one visible workspace signal by id. Requires env:read.
getMailbox(options?)Read Filepad mailbox notifications addressed to this integration. Requires notifications:read.
ackMailbox(ids)Acknowledge processed mailbox notification ids. Requires notifications:read.
getAgentProfile(options?)Read this integration's agent home profile files under agents/integrations/{keyId}/. Requires env:read.
updateAgentProfile(params)Propose an append or replacement update to one profile file. Requires env:read and files:propose; the change waits for human review.
The SDK throws typed errors:
AuthenticationError — invalid signature or expired keyForbiddenScopeError — missing required scopeNotFoundError — file or resource not foundRateLimitError — too many requestsProposalPathError — proposal target is not allowedStaleVersionError — base version changed during proposalAll errors extend FilepadAgentError with code, message, and status properties.
import { FilepadAgentError, AuthenticationError } from '@filepad/agent-access-sdk';
try {
await client.getFile('fn_...');
} catch (err) {
if (err instanceof AuthenticationError) {
console.error('Check your key id and secret');
} else if (err instanceof FilepadAgentError) {
console.error(err.code, err.message);
}
}
| Scope | What it allows |
|---|---|
env:read | Read folders, file tree, file content, search, skill prompts, MCP resources, and visible signals |
artifacts:write | Create note artifacts under artifacts/ |
files:propose | Create reviewable edit proposals for allowed files |
memory:read | Read memory entries |
events.write | Write agent activity events |
signals:write | Create signals for automation triggers |
notifications:read | Read and acknowledge Filepad mailbox notifications addressed to this integration |
MIT
FAQs
Official SDK for connecting external agents to Filepad workspaces via Agent Access.
The npm package @filepad/agent-access-sdk receives a total of 7 weekly downloads. As such, @filepad/agent-access-sdk popularity was classified as not popular.
We found that @filepad/agent-access-sdk demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Research
/Security News
11 malicious NuGet tools pose as game cheats to deploy Windows payloads, track hosts, and use Google Sheets for telemetry and control.

Research
/Security News
4 compromised asyncapi packages deliver miasma botnet loader on macOS, Linux and Windows.

Research
/Security News
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.