registry  /  @aeon-ai-pay/aicard  /  0.8.9

@aeon-ai-pay/aicard@0.8.9

CLI & Agent skill for purchasing virtual debit cards via x402 protocol

AI Security Review

scanned 1d ago · by lpm-firewall-ai

The package mutates AI-agent control surfaces during npm install by installing a bundled skill globally or copying it into Claude Code skills. CLI startup also performs silent background self-upgrade and reruns the postinstall installer.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install/postinstall, or running the aicard CLI later
Impact
Installed agents may follow package-supplied payment workflow instructions and execute wallet/card commands; future package versions may be installed globally without explicit user action from the CLI.
Mechanism
unconsented AI-agent skill installation plus background self-update
Attack narrative
On installation, the package runs scripts/postinstall.mjs, which attempts a global skills CLI install into all detected AI tools with -g -y --copy and falls back to copying its skill into ~/.claude/skills/aicard. That bundled skill changes agent behavior around virtual-card purchases and command execution. Later CLI use checks npm for newer versions, installs them globally in a detached background process, and reruns postinstall, extending the control-surface mutation to future versions.
Rationale
The source confirms unconsented install-time mutation of AI-agent control files and a background self-update path that reruns that mutation. Even though the payment/network code largely matches the package theme, install-time AI-agent control-surface writes are concrete malicious behavior for the firewall boundary.
Evidence
package.jsonscripts/postinstall.mjssrc/update-check.mjsskills/aicard/SKILL.mdtemplates/codex/AGENTS.mdsrc/commands/setup.mjsskills/aicard~/.claude/skills/aicard~/.aicard/config.json~/.aicard/update.log
Network endpoints7
ai-api.aeon.xyzfew-boldest-spring.bsc.quiknode.pro/ec468d8a1ea2c310457b2e2f4eea257e62ba3b1e/cdn.jsdelivr.net/npm/qrious@4.0.2/dist/qrious.min.jsgithub.com/AEON-Project/aicardcatalog.shopify.com/api/ucp/mcpshopify.dev/ucp/agent-profiles/examples/2026-04-08/cart-and-checkout.jsonshopify.dev/ucp/agent-profiles/examples/2026-04-08/valid-with-capabilities.json

Decision evidence

public snapshot
AI called this Malicious at 94.0% confidence as Malware with low false-positive risk.
Evidence for block
  • package.json runs postinstall: node scripts/postinstall.mjs.
  • scripts/postinstall.mjs invokes npx skills add ... -g -y --copy at install time.
  • scripts/postinstall.mjs fallback copies skills/aicard into ~/.claude/skills/aicard without user confirmation.
  • src/update-check.mjs runs npm view on CLI startup, then background npm install -g and reruns postinstall for newer versions.
  • skills/aicard/SKILL.md instructs agents to always run aicard setup --check and to execute card creation after amount selection.
  • src/commands/setup.mjs auto-generates and stores a private key in ~/.aicard/config.json when setup --check is run.
Evidence against
  • Network and wallet operations are mostly aligned with the advertised virtual-card/x402 CLI purpose.
  • Private key display is masked in setup --show.
  • Card data is sanitized before normal create output.
  • No source evidence of credential exfiltration from arbitrary env/files beyond configured wallet/payment flows.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 31 file(s), 164 KB of source, external domains: 127.0.0.1, ai-api.aeon.xyz, catalog.shopify.com, cdn.jsdelivr.net, few-boldest-spring.bsc.quiknode.pro, github.com, nodejs.org, shopify.dev, www.w3.org

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts/postinstall.mjsView file
9Install-time AI-agent control hijack evidence: L9: L10: import { cpSync, existsSync, mkdirSync } from 'node:fs'; L11: import { join, dirname } from 'node:path'; ... L36: // Fallback: 手动复制到 Claude Code L37: const dest = join(homedir(), '.claude', 'skills', 'aicard'); L38: mkdirSync(dirname(dest), { recursive: true }); L39: cpSync(skillSrc, dest, { recursive: true, force: true }); L40: console.log(`✔ aicard skill installed to ${dest} (fallback)`); Payload evidence from templates/codex/AGENTS.md: L10: L11: Returns an envelope on stdout; `envelope.data.ready === true` means ready. L12: ... L38: L39: - **Never** prompt for private keys. The CLI auto-generates a local session wallet. L40: - **Never** display full card numbers, CVV, or expiry. The CLI already redacts these to `•••• 1234`.
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/postinstall.mjsView on unpkg · L9
12import { homedir } from 'node:os'; L13: import { execFileSync } from 'node:child_process'; L14: import { fileURLToPath } from 'node:url';
High
Child Process

Package source references child process execution.

scripts/postinstall.mjsView on unpkg · L12
3/** L4: * npm install -g 后自动安装 skill 到所有已检测的 AI 编码工具 L5: * ... L12: import { homedir } from 'node:os'; L13: import { execFileSync } from 'node:child_process'; L14: import { fileURLToPath } from 'node:url';
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

scripts/postinstall.mjsView on unpkg · L3

Findings

1 Critical4 High4 Medium4 Low
CriticalAi Agent Control Hijackscripts/postinstall.mjs
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processscripts/postinstall.mjs
HighShell
HighRuntime Package Installscripts/postinstall.mjs
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings