registry  /  @aeon-ai-pay/aicard  /  0.9.3

@aeon-ai-pay/aicard@0.9.3

CLI & Agent skill for purchasing virtual debit cards via x402 protocol

AI Security Review

scanned 22h ago · by lpm-firewall-ai

Confirmed unconsented AI-agent control-surface mutation at npm install time. The package installs its own agent skill globally across detected tools, or directly into Claude skills, before the user invokes the CLI.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review
Trigger
npm install of @aeon-ai-pay/aicard@0.9.3 or later CLI startup with an available update
Impact
Can alter agent behavior to run package commands and payment workflows, creating a durable control surface in AI coding tools outside normal package import/runtime consent.
Mechanism
postinstall global agent-skill installation and detached self-update reinstall
Attack narrative
On installation, package.json runs scripts/postinstall.mjs. That script executes npx skills add on the bundled skills/aicard directory with global and auto-confirm flags, and falls back to copying the skill into ~/.claude/skills/aicard. The installed skill instructs AI agents to invoke the aicard CLI and manage wallet/card purchase workflows. Separately, normal CLI startup checks npm and can silently spawn a detached global reinstall plus postinstall for newer versions.
Rationale
The payment functionality is plausibly package-aligned, but install-time mutation of AI-agent skill/control files is unconsented and durable. That concrete lifecycle behavior meets the firewall boundary for malicious AI-agent control-surface hijack.
Evidence
package.jsonscripts/postinstall.mjsskills/aicard/SKILL.mdbin/cli.mjssrc/update-check.mjssrc/config.mjs~/.claude/skills/aicard~/.aicard/update.log
Network endpoints2
github.com/AEON-Project/aicardai-api.aeon.xyz

Decision evidence

public snapshot
AI called this Malicious at 96.0% confidence as Malware with low false-positive risk.
Evidence for block
  • package.json defines postinstall: node scripts/postinstall.mjs
  • scripts/postinstall.mjs runs npx skills add skills/aicard -g -y --copy at install time
  • scripts/postinstall.mjs fallback copies bundled skill into ~/.claude/skills/aicard without user invocation
  • skills/aicard/SKILL.md instructs agents to run aicard setup --check first and can drive wallet/card purchase workflows
  • bin/cli.mjs imports update-check at startup; src/update-check.mjs runs npm view then detached npm install -g and postinstall on newer version
Evidence against
  • CLI payment, wallet, and Shopify flows are package-aligned and mostly user-invoked
  • src/config.mjs stores generated local wallet config under ~/.aicard/config.json with mode 0600
  • No static evidence of private key exfiltration or broad filesystem harvesting
  • WalletConnect transfers require user wallet approval
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 32 file(s), 180 KB of source, external domains: 127.0.0.1, ai-api.aeon.xyz, catalog.shopify.com, cdn.jsdelivr.net, few-boldest-spring.bsc.quiknode.pro, github.com, nodejs.org, shopify.dev, www.w3.org

Source & flagged code

6 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts/postinstall.mjsView file
9Install-time AI-agent control hijack evidence: L9: L10: import { cpSync, existsSync, mkdirSync } from 'node:fs'; L11: import { join, dirname } from 'node:path'; ... L44: // Fallback: 手动复制到 Claude Code L45: const dest = join(homedir(), '.claude', 'skills', 'aicard'); L46: mkdirSync(dirname(dest), { recursive: true }); L47: cpSync(skillSrc, dest, { recursive: true, force: true }); L48: console.log(`✔ aicard skill installed to ${dest} (fallback)`); Payload evidence from templates/codex/AGENTS.md: L10: L11: Returns an envelope on stdout; `envelope.data.ready === true` means ready. L12: ... L38: L39: - **Never** prompt for private keys. The CLI auto-generates a local session wallet. L40: - **Never** display full card numbers, CVV, or expiry. The CLI already redacts these to `•••• 1234`.
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/postinstall.mjsView on unpkg · L9
12import { homedir } from 'node:os'; L13: import { execFileSync } from 'node:child_process'; L14: import { fileURLToPath } from 'node:url';
High
Child Process

Package source references child process execution.

scripts/postinstall.mjsView on unpkg · L12
3/** L4: * npm install -g 后自动安装 skill 到所有已检测的 AI 编码工具 L5: * ... L12: import { homedir } from 'node:os'; L13: import { execFileSync } from 'node:child_process'; L14: import { fileURLToPath } from 'node:url';
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

scripts/postinstall.mjsView on unpkg · L3
src/walletconnect.mjsView file
matchType = normalized_sha256 matchedPackage = @aeon-ai-pay/aicard@0.9.2 matchedPath = src/walletconnect.mjs matchedIdentity = npm:QGFlb24tYWktcGF5L2FpY2FyZA:0.9.2 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

src/walletconnect.mjsView on unpkg

Findings

1 Critical5 High4 Medium4 Low
CriticalAi Agent Control Hijackscripts/postinstall.mjs
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processscripts/postinstall.mjs
HighShell
HighRuntime Package Installscripts/postinstall.mjs
HighKnown Malware Source Similaritysrc/walletconnect.mjs
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings