registry  /  @aeon-ai-pay/aicard  /  1.0.5

@aeon-ai-pay/aicard@1.0.5

CLI & Agent skill for purchasing virtual debit cards via x402 protocol

AI Security Review

scanned 13h ago · by lpm-firewall-ai

Install-time lifecycle code registers a package-supplied AI agent skill globally and falls back to writing into Claude's home skill directory. This is an unconsented mutation of broad/foreign AI-agent control surfaces during npm install.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review
Trigger
npm install / npm install -g postinstall
Impact
AI coding agents may automatically load package-supplied instructions that steer users into wallet setup and crypto payment/card workflows without explicit post-install consent.
Mechanism
lifecycle-triggered global AI skill installation via npx skills and ~/.claude copy fallback
Attack narrative
On npm install, the postinstall script locates the bundled aicard skill and runs npx skills add with global, yes, and copy flags. If that fails, it creates ~/.claude/skills and copies the same skill there. The installed skill contains operational instructions for AI agents to run the aicard CLI and manage wallet/card payment flows, so the package mutates agent behavior surfaces during lifecycle execution.
Rationale
The decisive behavior is not the user-invoked payment CLI itself but the unconsented postinstall installation of package-supplied instructions into broad/foreign AI-agent skill locations. Under the provided install control surface policy, this is blockable AI-agent control hijack.
Evidence
package.jsonscripts/postinstall.mjsskills/aicard/SKILL.mdsrc/commands/setup.mjsskills/aicard~/.claude/skills/aicard

Decision evidence

public snapshot
AI called this Malicious at 98.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for block
  • package.json defines postinstall: node scripts/postinstall.mjs
  • scripts/postinstall.mjs runs npx skills add <package skill> -g -y --copy at install time
  • scripts/postinstall.mjs fallback copies bundled skill into ~/.claude/skills/aicard
  • Bundled skills/aicard/SKILL.md instructs agents to run aicard setup --check and payment/card commands
  • postinstall uses child_process execFileSync to invoke npx during npm lifecycle
Evidence against
  • No direct credential exfiltration found in inspected source
  • CLI payment/network behavior is mostly user-invoked after install
  • Wallet private key generation/storage is documented as local in skills/aicard/SKILL.md and src/commands/setup.mjs
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 32 file(s), 214 KB of source, external domains: 127.0.0.1, ai-api.aeon.xyz, catalog.shopify.com, cdn.jsdelivr.net, few-boldest-spring.bsc.quiknode.pro, github.com, nodejs.org, shopify.dev, www.w3.org

Source & flagged code

7 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts/postinstall.mjsView file
9Install-time AI-agent control hijack evidence: L9: L10: import { cpSync, existsSync, mkdirSync } from 'node:fs'; L11: import { join, dirname } from 'node:path'; ... L44: // Fallback: 手动复制到 Claude Code L45: const dest = join(homedir(), '.claude', 'skills', 'aicard'); L46: mkdirSync(dirname(dest), { recursive: true }); L47: cpSync(skillSrc, dest, { recursive: true, force: true }); L48: console.log(`✔ aicard skill installed to ${dest} (fallback)`); Payload evidence from templates/codex/AGENTS.md: L10: L11: Returns an envelope on stdout; `envelope.data.ready === true` means ready. L12: ... L38: L39: - **Never** prompt for private keys. The CLI auto-generates a local session wallet. L40: - **Never** display full card numbers, CVV, or expiry. The CLI already redacts these to `•••• 1234`.
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/postinstall.mjsView on unpkg · L9
12import { homedir } from 'node:os'; L13: import { execFileSync } from 'node:child_process'; L14: import { fileURLToPath } from 'node:url';
High
Child Process

Package source references child process execution.

scripts/postinstall.mjsView on unpkg · L12
3/** L4: * npm install -g 后自动安装 skill 到所有已检测的 AI 编码工具 L5: * ... L12: import { homedir } from 'node:os'; L13: import { execFileSync } from 'node:child_process'; L14: import { fileURLToPath } from 'node:url';
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

scripts/postinstall.mjsView on unpkg · L3
src/update-check.mjsView file
matchType = normalized_sha256 matchedPackage = @aeon-ai-pay/aicard@1.0.4 matchedPath = src/update-check.mjs matchedIdentity = npm:QGFlb24tYWktcGF5L2FpY2FyZA:1.0.4 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

src/update-check.mjsView on unpkg
src/walletconnect.mjsView file
matchType = normalized_sha256 matchedPackage = @aeon-ai-pay/aicard@1.0.4 matchedPath = src/walletconnect.mjs matchedIdentity = npm:QGFlb24tYWktcGF5L2FpY2FyZA:1.0.4 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

src/walletconnect.mjsView on unpkg

Findings

1 Critical6 High4 Medium4 Low
CriticalAi Agent Control Hijackscripts/postinstall.mjs
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processscripts/postinstall.mjs
HighShell
HighRuntime Package Installscripts/postinstall.mjs
HighKnown Malware Source Similaritysrc/update-check.mjs
HighKnown Malware Source Similaritysrc/walletconnect.mjs
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings