registry  /  @aeon-ai-pay/aicard  /  1.0.4

@aeon-ai-pay/aicard@1.0.4

CLI & Agent skill for purchasing virtual debit cards via x402 protocol

AI Security Review

scanned 17h ago · by lpm-firewall-ai

Install-time lifecycle code mutates AI-agent control surfaces by globally installing a package-supplied skill without an explicit user command. Runtime CLI update logic can repeat the global install and postinstall path from a detached background process.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review
Trigger
npm install / npm install -g, and later invoking bin/cli.mjs when an update is available
Impact
AI coding agents may be influenced to run package payment/wallet commands and create persistent wallet config; future package updates can refresh the agent skill outside the user's immediate action.
Mechanism
unconsented lifecycle AI-agent skill installation plus background self-update
Attack narrative
On package installation, postinstall executes npx skills add with global, yes, and copy flags to install the bundled aicard skill into detected AI tools; if that fails it directly copies the skill into ~/.claude/skills/aicard. The installed skill directs agents to run aicard setup and payment/card workflows. When the CLI is later invoked, update-check may silently install the latest global package and execute its postinstall again in a detached child process.
Rationale
The confirmed behavior is an unconsented install-time mutation of AI-agent instruction/control files, with a runtime updater that can re-run the same mutation. This meets the firewall malicious threshold for lifecycle AI-agent control-surface hijack despite the payment functionality being documented.
Evidence
package.jsonscripts/postinstall.mjsskills/aicard/SKILL.mdsrc/update-check.mjssrc/config.mjsbin/cli.mjssrc/constants.mjs~/.claude/skills/aicard~/.aicard/config.json~/.aicard/update.log
Network endpoints4
ai-api.aeon.xyzfew-boldest-spring.bsc.quiknode.pro/ec468d8a1ea2c310457b2e2f4eea257e62ba3b1e/cdn.jsdelivr.net/npm/qrious@4.0.2/dist/qrious.min.jscatalog.shopify.com/api/ucp/mcp

Decision evidence

public snapshot
AI called this Malicious at 96.0% confidence as Malware with low false-positive risk.
Evidence for block
  • package.json defines postinstall: node scripts/postinstall.mjs.
  • scripts/postinstall.mjs runs npx skills add <package skill> -g -y --copy during install.
  • scripts/postinstall.mjs fallback copies skills/aicard into ~/.claude/skills/aicard.
  • skills/aicard/SKILL.md instructs AI agents to run aicard setup --check first and execute card/payment workflows.
  • src/update-check.mjs runs npm install -g @aeon-ai-pay/aicard@latest and then executes postinstall.mjs in a detached updater on CLI use.
  • src/config.mjs and commands persist wallet privateKey/config under ~/.aicard/config.json.
Evidence against
  • README.md and docs disclose agent skill installation and virtual-card functionality.
  • Network/payment endpoints are mostly aligned with the package's stated virtual card and Shopify shopping purpose.
  • No source evidence of arbitrary credential harvesting beyond package wallet config use.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 32 file(s), 209 KB of source, external domains: 127.0.0.1, ai-api.aeon.xyz, catalog.shopify.com, cdn.jsdelivr.net, few-boldest-spring.bsc.quiknode.pro, github.com, nodejs.org, shopify.dev, www.w3.org

Source & flagged code

7 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts/postinstall.mjsView file
9Install-time AI-agent control hijack evidence: L9: L10: import { cpSync, existsSync, mkdirSync } from 'node:fs'; L11: import { join, dirname } from 'node:path'; ... L44: // Fallback: 手动复制到 Claude Code L45: const dest = join(homedir(), '.claude', 'skills', 'aicard'); L46: mkdirSync(dirname(dest), { recursive: true }); L47: cpSync(skillSrc, dest, { recursive: true, force: true }); L48: console.log(`✔ aicard skill installed to ${dest} (fallback)`); Payload evidence from templates/codex/AGENTS.md: L10: L11: Returns an envelope on stdout; `envelope.data.ready === true` means ready. L12: ... L38: L39: - **Never** prompt for private keys. The CLI auto-generates a local session wallet. L40: - **Never** display full card numbers, CVV, or expiry. The CLI already redacts these to `•••• 1234`.
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/postinstall.mjsView on unpkg · L9
12import { homedir } from 'node:os'; L13: import { execFileSync } from 'node:child_process'; L14: import { fileURLToPath } from 'node:url';
High
Child Process

Package source references child process execution.

scripts/postinstall.mjsView on unpkg · L12
3/** L4: * npm install -g 后自动安装 skill 到所有已检测的 AI 编码工具 L5: * ... L12: import { homedir } from 'node:os'; L13: import { execFileSync } from 'node:child_process'; L14: import { fileURLToPath } from 'node:url';
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

scripts/postinstall.mjsView on unpkg · L3
src/update-check.mjsView file
matchType = normalized_sha256 matchedPackage = @aeon-ai-pay/aicard@1.0.3 matchedPath = src/update-check.mjs matchedIdentity = npm:QGFlb24tYWktcGF5L2FpY2FyZA:1.0.3 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

src/update-check.mjsView on unpkg
src/walletconnect.mjsView file
matchType = normalized_sha256 matchedPackage = @aeon-ai-pay/aicard@1.0.3 matchedPath = src/walletconnect.mjs matchedIdentity = npm:QGFlb24tYWktcGF5L2FpY2FyZA:1.0.3 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

src/walletconnect.mjsView on unpkg

Findings

1 Critical6 High4 Medium4 Low
CriticalAi Agent Control Hijackscripts/postinstall.mjs
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processscripts/postinstall.mjs
HighShell
HighRuntime Package Installscripts/postinstall.mjs
HighKnown Malware Source Similaritysrc/update-check.mjs
HighKnown Malware Source Similaritysrc/walletconnect.mjs
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings