registry  /  @aegisrunner/cli  /  1.0.11

@aegisrunner/cli@1.0.11

AegisRunner CLI — trigger test runs, scans and mobile scans from CI. Zero dependencies.

AI Security Review

scanned 10h ago · by lpm-firewall-ai

The explicit self-hosted runner and tunnel commands let the service reach private/local HTTP targets through a token-authenticated client. This is a package-aligned but high-impact remote-control capability; no install-time attack is present.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `aegis runner`, `aegis tunnel`, or `aegis dev` with an AEGIS token.
Impact
A controlling API can cause authenticated runners to probe internal URLs; tunnel mode returns local HTTP responses to the service.
Mechanism
Outbound job polling and reverse HTTP relay to private/local targets.
Rationale
Source inspection confirms an explicit, token-gated internal-network runner/tunnel capability but no malicious lifecycle execution, credential theft, stealth, or destructive chain. Treat it as a dangerous dual-use package capability rather than a publish-blocking malicious package.
Evidence
package.jsonbin/aegis.mjslib/api.mjslib/runner.mjslib/tunnel.mjs.git/hooks/pre-push.git/hooks/pre-push.pre-aegis
Network endpoints2
app.aegisrunner.com/api/v1app.aegisrunner.com

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `lib/runner.mjs` accepts cloud-supplied job URLs and fetches them from the runner's private network.
  • `lib/tunnel.mjs` relays full local HTTP responses through an outbound cloud tunnel.
  • `bin/aegis.mjs` can execute a user-supplied dev command and install an opt-in Git pre-push hook.
  • Runner reports target metadata, titles, server headers, and broken-link URLs to the API.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
  • All network and execution paths require an explicit CLI command and an AEGIS token.
  • No credential harvesting beyond documented AEGIS token/password inputs was found.
  • No eval, native/binary loading, stealth persistence, or destructive behavior was found.
  • Hook changes are explicit `aegis hooks install` actions and preserve/restore an existing hook.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 6 file(s), 49.9 KB of source, external domains: app.aegisrunner.com, staging.example.com, staging.internal

Source & flagged code

4 flagged · loading source
bin/aegis.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = @aegisrunner/cli@1.0.8 matchedIdentity = npm:QGFlZ2lzcnVubmVyL2NsaQ:1.0.8 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bin/aegis.mjsView on unpkg
449L450: const { spawn } = await import('node:child_process'); L451: const { runTunnel } = await import('../lib/tunnel.mjs');
High
Child Process

Package source references child process execution.

bin/aegis.mjsView on unpkg · L449
509// only when we weren't handed a --port. L510: child.stdout.on('data', (c) => { process.stdout.write(c); if (!opts.port) sniffPort(c); }); L511: child.stderr.on('data', (c) => { process.stderr.write(c); if (!opts.port) sniffPort(c); }); ... L518: try { if (process.stdin.isTTY) process.stdin.setRawMode(false); } catch {} L519: try { if (win) spawn('taskkill', ['/pid', String(child.pid), '/T', '/F'], { stdio: 'ignore' }); else process.kill(-child.pid, 'SIGTERM'); } L520: catch { try { child.kill(); } catch {} } ... L524: const openResults = () => { L525: const url = 'https://app.aegisrunner.com'; L526: const opener = win ? 'cmd' : process.platform === 'darwin' ? 'open' : 'xdg-open';
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

bin/aegis.mjsView on unpkg · L509
9L10: const pkg = JSON.parse(readFileSync(new URL('../package.json', import.meta.url), 'utf8')); L11: const log = (msg) => process.stderr.write(msg + '\n'); L12: const sleep = (ms) => new Promise((r) => setTimeout(r, ms)); ... L173: Queue work for it from anywhere with: L174: aegis runner-enqueue --url http://staging.internal:8080 L175: ... L213: function client(opts) { L214: const token = opts.token || process.env.AEGIS_TOKEN; L215: if (!token) throw new UsageError('Missing token: pass --token or set AEGIS_TOKEN'); ... L449: L450: const { spawn } = await import('node:child_process');
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

bin/aegis.mjsView on unpkg · L9

Findings

1 Critical4 High3 Medium3 Low
CriticalPrevious Version Dangerous Deltabin/aegis.mjs
HighChild Processbin/aegis.mjs
HighShell
HighCommand Output Exfiltrationbin/aegis.mjs
HighSandbox Evasion Gated Capabilitybin/aegis.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings