AI Security Review
scanned 17h ago · by lpm-firewall-aiInstall-time lifecycle code mutates AI-agent control surfaces by globally installing a package-supplied skill without an explicit user command. Runtime CLI update logic can repeat the global install and postinstall path from a detached background process.
Decision evidence
public snapshot- package.json defines postinstall: node scripts/postinstall.mjs.
- scripts/postinstall.mjs runs npx skills add <package skill> -g -y --copy during install.
- scripts/postinstall.mjs fallback copies skills/aicard into ~/.claude/skills/aicard.
- skills/aicard/SKILL.md instructs AI agents to run aicard setup --check first and execute card/payment workflows.
- src/update-check.mjs runs npm install -g @aeon-ai-pay/aicard@latest and then executes postinstall.mjs in a detached updater on CLI use.
- src/config.mjs and commands persist wallet privateKey/config under ~/.aicard/config.json.
- README.md and docs disclose agent skill installation and virtual-card functionality.
- Network/payment endpoints are mostly aligned with the package's stated virtual card and Shopify shopping purpose.
- No source evidence of arbitrary credential harvesting beyond package wallet config use.
Source & flagged code
7 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgInstall-time source drops package-supplied AI-agent/MCP control files or instructions.
scripts/postinstall.mjsView on unpkg · L9Package source references child process execution.
scripts/postinstall.mjsView on unpkg · L12Package source invokes a package manager install command at runtime.
scripts/postinstall.mjsView on unpkg · L3Source file is highly similar to a previously finalized malicious package; route for source-aware review.
src/update-check.mjsView on unpkgSource file is highly similar to a previously finalized malicious package; route for source-aware review.
src/walletconnect.mjsView on unpkg