registry  /  @aeon-ai-pay/aicard  /  1.0.3

@aeon-ai-pay/aicard@1.0.3

CLI & Agent skill for purchasing virtual debit cards via x402 protocol

AI Security Review

scanned 17h ago · by lpm-firewall-ai

Install-time lifecycle code mutates AI-agent control surfaces by globally installing a bundled skill/instructions. The installed skill can cause agents to run wallet/payment setup commands in future user sessions.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review
Trigger
npm install or global install; later aicard CLI startup for update path
Impact
Persistent agent behavior change, possible future command execution involving wallet setup/payment flows, and global package replacement
Mechanism
unconsented lifecycle AI-agent skill installation and self-update
Attack narrative
On installation, the package executes scripts/postinstall.mjs, which invokes npx skills add with global flags to install the bundled aicard skill across detected AI tools, or copies it directly into ~/.claude/skills/aicard. Those instructions then steer agents to run aicard setup and payment commands. The CLI also contains a startup update checker that can spawn a detached npm install -g and rerun postinstall.
Rationale
Source inspection confirms an install-time, unconsented AI-agent control-surface mutation, which is a concrete lifecycle attack behavior even though much runtime payment functionality is package-aligned. This should be blocked rather than warned because the behavior activates on install and persists outside normal package import/CLI use.
Evidence
package.jsonscripts/postinstall.mjsskills/aicard/SKILL.mdtemplates/codex/AGENTS.mdsrc/update-check.mjssrc/config.mjsskills/aicard~/.claude/skills/aicard~/.aicard/config.json~/.aicard/update.log
Network endpoints4
ai-api.aeon.xyzfew-boldest-spring.bsc.quiknode.pro/ec468d8a1ea2c310457b2e2f4eea257e62ba3b1e/cdn.jsdelivr.net/npm/qrious@4.0.2/dist/qrious.min.jsgithub.com/AEON-Project/aicard

Decision evidence

public snapshot
AI called this Malicious at 96.0% confidence as Malware with low false-positive risk.
Evidence for block
  • package.json defines postinstall: node scripts/postinstall.mjs
  • scripts/postinstall.mjs runs npx skills add skills/aicard -g -y --copy during install
  • scripts/postinstall.mjs fallback copies bundled skill to ~/.claude/skills/aicard without user action
  • skills/aicard/SKILL.md instructs agents to always run aicard setup --check, which auto-generates and stores a wallet key
  • src/update-check.mjs runs npm view on CLI startup and can spawn background npm install -g plus postinstall
Evidence against
  • CLI code and docs are broadly aligned with virtual card, WalletConnect, and x402 payment functionality
  • No source evidence of generic credential harvesting or direct exfiltration of env/files beyond payment/config flows
  • Wallet transactions appear user-facing through WalletConnect or local wallet commands
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 32 file(s), 208 KB of source, external domains: 127.0.0.1, ai-api.aeon.xyz, catalog.shopify.com, cdn.jsdelivr.net, few-boldest-spring.bsc.quiknode.pro, github.com, nodejs.org, shopify.dev, www.w3.org

Source & flagged code

6 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts/postinstall.mjsView file
9Install-time AI-agent control hijack evidence: L9: L10: import { cpSync, existsSync, mkdirSync } from 'node:fs'; L11: import { join, dirname } from 'node:path'; ... L44: // Fallback: 手动复制到 Claude Code L45: const dest = join(homedir(), '.claude', 'skills', 'aicard'); L46: mkdirSync(dirname(dest), { recursive: true }); L47: cpSync(skillSrc, dest, { recursive: true, force: true }); L48: console.log(`✔ aicard skill installed to ${dest} (fallback)`); Payload evidence from templates/codex/AGENTS.md: L10: L11: Returns an envelope on stdout; `envelope.data.ready === true` means ready. L12: ... L38: L39: - **Never** prompt for private keys. The CLI auto-generates a local session wallet. L40: - **Never** display full card numbers, CVV, or expiry. The CLI already redacts these to `•••• 1234`.
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/postinstall.mjsView on unpkg · L9
12import { homedir } from 'node:os'; L13: import { execFileSync } from 'node:child_process'; L14: import { fileURLToPath } from 'node:url';
High
Child Process

Package source references child process execution.

scripts/postinstall.mjsView on unpkg · L12
3/** L4: * npm install -g 后自动安装 skill 到所有已检测的 AI 编码工具 L5: * ... L12: import { homedir } from 'node:os'; L13: import { execFileSync } from 'node:child_process'; L14: import { fileURLToPath } from 'node:url';
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

scripts/postinstall.mjsView on unpkg · L3
src/walletconnect.mjsView file
matchType = normalized_sha256 matchedPackage = @aeon-ai-pay/aicard@0.9.3 matchedPath = src/walletconnect.mjs matchedIdentity = npm:QGFlb24tYWktcGF5L2FpY2FyZA:0.9.3 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

src/walletconnect.mjsView on unpkg

Findings

1 Critical5 High4 Medium4 Low
CriticalAi Agent Control Hijackscripts/postinstall.mjs
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processscripts/postinstall.mjs
HighShell
HighRuntime Package Installscripts/postinstall.mjs
HighKnown Malware Source Similaritysrc/walletconnect.mjs
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings