registry  /  @aegisrunner/cli  /  1.0.13

@aegisrunner/cli@1.0.13

AegisRunner CLI — trigger test runs, scans and mobile scans from CI. Zero dependencies.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Explicit runner and tunnel commands create an outbound control channel to the configured API. A runner can be instructed to probe network-reachable URLs, and a tunnel can relay local HTTP responses.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `aegis runner`, `aegis tunnel`, `aegis scan --tunnel`, or `aegis dev`.
Impact
A compromised or untrusted configured API/token holder could cause probes of internal URLs or receive relayed local application responses.
Mechanism
Authenticated remote job polling and reverse HTTP tunneling.
Rationale
Source inspection does not establish malware or covert execution, but it does establish an explicit, authenticated remote-control capability that can access private network targets and relay local responses. This warrants a warning rather than a publish block.
Evidence
package.jsonbin/aegis.mjslib/api.mjslib/runner.mjslib/tunnel.mjs.git/hooks/pre-push
Network endpoints1
app.aegisrunner.com/api/v1

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `lib/runner.mjs` polls the configured API for jobs and fetches server-supplied internal target URLs.
  • Runner posts target metadata, hostname, titles, server headers, and broken-link results back to the API.
  • `lib/tunnel.mjs` relays local HTTP requests and full response bodies through the configured control plane.
  • `bin/aegis.mjs` installs a Git pre-push hook only after explicit `aegis hooks install`.
  • The `dev` command executes only a command supplied after `--`; Windows shell use is platform-specific.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare lifecycle scripts.
  • The package contains only readable JavaScript source; no bundled binaries, bytecode, or staged payloads.
  • No credential harvesting beyond explicitly supplied `AEGIS_TOKEN` and scan password inputs was found.
  • No eval, VM, native loading, hidden persistence, or import-time network action was found.
  • Hook mutation is opt-in, marker-guarded, and restores a backed-up hook on uninstall.
  • Default API traffic targets the package-aligned `https://app.aegisrunner.com/api/v1` endpoint.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 7 file(s), 53.2 KB of source, external domains: app.aegisrunner.com, staging.example.com, staging.internal

Source & flagged code

4 flagged · loading source
bin/aegis.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = @aegisrunner/cli@1.0.11 matchedIdentity = npm:QGFlZ2lzcnVubmVyL2NsaQ:1.0.11 similarity = 0.667 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bin/aegis.mjsView on unpkg
449L450: const { spawn } = await import('node:child_process'); L451: const { runTunnel } = await import('../lib/tunnel.mjs');
High
Child Process

Package source references child process execution.

bin/aegis.mjsView on unpkg · L449
517// only when we weren't handed a --port. L518: child.stdout.on('data', (c) => { process.stdout.write(c); if (!opts.port) sniffPort(c); }); L519: child.stderr.on('data', (c) => { process.stderr.write(c); if (!opts.port) sniffPort(c); }); ... L526: try { if (process.stdin.isTTY) process.stdin.setRawMode(false); } catch {} L527: try { if (win) spawn('taskkill', ['/pid', String(child.pid), '/T', '/F'], { stdio: 'ignore' }); else process.kill(-child.pid, 'SIGTERM'); } L528: catch { try { child.kill(); } catch {} } ... L532: const openResults = () => { L533: const url = 'https://app.aegisrunner.com'; L534: const opener = win ? 'cmd' : process.platform === 'darwin' ? 'open' : 'xdg-open';
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

bin/aegis.mjsView on unpkg · L517
9L10: const pkg = JSON.parse(readFileSync(new URL('../package.json', import.meta.url), 'utf8')); L11: const log = (msg) => process.stderr.write(msg + '\n'); L12: const sleep = (ms) => new Promise((r) => setTimeout(r, ms)); ... L173: Queue work for it from anywhere with: L174: aegis runner-enqueue --url http://staging.internal:8080 L175: ... L213: function client(opts) { L214: const token = opts.token || process.env.AEGIS_TOKEN; L215: if (!token) throw new UsageError('Missing token: pass --token or set AEGIS_TOKEN'); ... L449: L450: const { spawn } = await import('node:child_process');
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

bin/aegis.mjsView on unpkg · L9

Findings

1 Critical4 High3 Medium3 Low
CriticalPrevious Version Dangerous Deltabin/aegis.mjs
HighChild Processbin/aegis.mjs
HighShell
HighCommand Output Exfiltrationbin/aegis.mjs
HighSandbox Evasion Gated Capabilitybin/aegis.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings