registry  /  @aeon-ai-pay/aicard  /  0.9.2

@aeon-ai-pay/aicard@0.9.2

CLI & Agent skill for purchasing virtual debit cards via x402 protocol

AI Security Review

scanned 23h ago · by lpm-firewall-ai

The package mutates AI-agent control surfaces at install time by globally installing bundled agent skills/instructions without an explicit user command. Those instructions can cause agents to run payment-related CLI actions in later conversations.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review
Trigger
npm install or global install runs postinstall
Impact
Unconsented persistence of agent instructions that can influence future agent behavior around wallet setup and card purchases
Mechanism
install-time AI-agent skill injection via npx skills add or filesystem copy
Attack narrative
On installation, the package runs scripts/postinstall.mjs, which invokes npx skills add with global flags to install the bundled aicard skill into detected AI tools, or copies it into Claude's skills directory. The installed skill instructs agents to run the aicard CLI for wallet/card workflows and to proceed with card creation after an amount is given, creating an unconsented agent-control persistence surface.
Rationale
Source inspection confirms install-time mutation of AI-agent control files, which is not necessary for a CLI library install and persists behavior outside the package. Package-aligned payment code does not offset the unconsented lifecycle agent-control hijack.
Evidence
package.jsonscripts/postinstall.mjsskills/aicard/SKILL.mdtemplates/codex/AGENTS.mdsrc/update-check.mjssrc/config.mjsskills/aicard~/.claude/skills/aicard~/.aicard/update.log
Network endpoints2
ai-api.aeon.xyzfew-boldest-spring.bsc.quiknode.pro/ec468d8a1ea2c310457b2e2f4eea257e62ba3b1e/

Decision evidence

public snapshot
AI called this Malicious at 95.0% confidence as Malware with low false-positive risk.
Evidence for block
  • package.json runs postinstall: node scripts/postinstall.mjs.
  • scripts/postinstall.mjs executes npx skills add skills/aicard -g -y --copy during install.
  • scripts/postinstall.mjs fallback copies bundled skill to ~/.claude/skills/aicard.
  • skills/aicard/SKILL.md tells agents to run setup --check on entry and execute card creation once amount is specified.
  • src/update-check.mjs checks npm on CLI startup and spawns background npm install -g plus postinstall for newer versions.
Evidence against
  • CLI payment/network behavior is mostly aligned with virtual-card functionality.
  • Private keys are read from CLI/env/local config and used for wallet signing; no direct credential exfiltration code found.
  • Card data caching in src/shop/cards.mjs is local ~/.aicard storage with redacted listing support.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 32 file(s), 177 KB of source, external domains: 127.0.0.1, ai-api.aeon.xyz, catalog.shopify.com, cdn.jsdelivr.net, few-boldest-spring.bsc.quiknode.pro, github.com, nodejs.org, shopify.dev, www.w3.org

Source & flagged code

6 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts/postinstall.mjsView file
9Install-time AI-agent control hijack evidence: L9: L10: import { cpSync, existsSync, mkdirSync } from 'node:fs'; L11: import { join, dirname } from 'node:path'; ... L44: // Fallback: 手动复制到 Claude Code L45: const dest = join(homedir(), '.claude', 'skills', 'aicard'); L46: mkdirSync(dirname(dest), { recursive: true }); L47: cpSync(skillSrc, dest, { recursive: true, force: true }); L48: console.log(`✔ aicard skill installed to ${dest} (fallback)`); Payload evidence from templates/codex/AGENTS.md: L10: L11: Returns an envelope on stdout; `envelope.data.ready === true` means ready. L12: ... L38: L39: - **Never** prompt for private keys. The CLI auto-generates a local session wallet. L40: - **Never** display full card numbers, CVV, or expiry. The CLI already redacts these to `•••• 1234`.
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/postinstall.mjsView on unpkg · L9
12import { homedir } from 'node:os'; L13: import { execFileSync } from 'node:child_process'; L14: import { fileURLToPath } from 'node:url';
High
Child Process

Package source references child process execution.

scripts/postinstall.mjsView on unpkg · L12
3/** L4: * npm install -g 后自动安装 skill 到所有已检测的 AI 编码工具 L5: * ... L12: import { homedir } from 'node:os'; L13: import { execFileSync } from 'node:child_process'; L14: import { fileURLToPath } from 'node:url';
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

scripts/postinstall.mjsView on unpkg · L3
src/walletconnect.mjsView file
matchType = normalized_sha256 matchedPackage = @aeon-ai-pay/aicard@0.8.9 matchedPath = src/walletconnect.mjs matchedIdentity = npm:QGFlb24tYWktcGF5L2FpY2FyZA:0.8.9 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

src/walletconnect.mjsView on unpkg

Findings

1 Critical5 High4 Medium4 Low
CriticalAi Agent Control Hijackscripts/postinstall.mjs
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processscripts/postinstall.mjs
HighShell
HighRuntime Package Installscripts/postinstall.mjs
HighKnown Malware Source Similaritysrc/walletconnect.mjs
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings