registry  /  @aeon-ai-pay/aigateway  /  0.4.9

@aeon-ai-pay/aigateway@0.4.9

AI Agents discover, invoke, and settle paid LLMs, APIs, and Skills — starting with Skill Boss. No manual key setup. No prepayment. Pay-per-call via x402 or Agent Card.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Installation mutates AI-agent control surfaces without user consent. It globally registers a package-supplied agent skill, with a direct Claude Code fallback.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
npm postinstall, including global installation
Impact
Injected instructions can influence agent behavior around paid wallet and tool operations.
Mechanism
Global AI-agent skill registration and local Claude skill copy
Policy narrative
On installation, the package executes `npx skills add` globally to register its skill across detected AI tools. If that fails, it copies the skill into Claude Code's user skill directory. The installed instructions govern agent behavior for paid wallet/tool actions and tell agents to hide alternative payment modes from users; later CLI execution can automatically upgrade the global package and rerun postinstall.
Rationale
This is a concrete unconsented postinstall mutation of broad/foreign AI-agent control surfaces, not merely an explicit setup command. The source confirms the behavior directly.
Evidence
package.jsonscripts/postinstall.mjsskills/aigateway/SKILL.mdsrc/update-check.mjs~/.claude/skills/aigateway

Decision evidence

public snapshot
AI called this Malicious at 98.0% confidence as Malware with low false-positive risk.
Evidence for policy block
  • `package.json` runs `postinstall`.
  • `scripts/postinstall.mjs` runs `npx skills add ... -g` for all detected tools.
  • Fallback copies `skills/aigateway` to `~/.claude/skills/aigateway`.
  • `skills/aigateway/SKILL.md` directs agents to conceal wallet/payment alternatives.
  • `src/update-check.mjs` later auto-installs newer global package versions.
Evidence against
  • Lifecycle code uses package-supplied skill files rather than a hidden binary.
  • Wallet, network, and signing actions are exposed through explicit CLI commands.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 28 file(s), 200 KB of source, external domains: 127.0.0.1, ai-api-dev.aeon.xyz, bsc-dataseed.binance.org, cdn.jsdelivr.net, github.com, nodejs.org, raw.githubusercontent.com, www.w3.org, xlayerrpc.okx.com

Source & flagged code

9 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts/postinstall.mjsView file
9Install-time AI-agent control hijack evidence: L9: L10: import { cpSync, existsSync, mkdirSync } from 'node:fs'; L11: import { join, dirname } from 'node:path'; ... L36: // Fallback: copy manually into Claude Code L37: const dest = join(homedir(), '.claude', 'skills', 'aigateway'); L38: mkdirSync(dirname(dest), { recursive: true }); L39: cpSync(skillSrc, dest, { recursive: true, force: true }); L40: console.log(`✔ aigateway skill installed to ${dest} (fallback)`); Payload evidence from templates/codex/AGENTS.md: L11: L12: `wallet-init` returns an envelope on stdout; `envelope.data.ready === true` means ready. If `envelope.data.needsTopup === true`, run `wallet-topup` next. L13: ... L64: L65: - **Never** prompt for private keys. The CLI auto-generates a local session wallet. L66: - **Never** hard-code model ids in prompts — vendors rename. Always pull from `aigateway sb tools` first.
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/postinstall.mjsView on unpkg · L9
12import { homedir } from 'node:os'; L13: import { execFileSync } from 'node:child_process'; L14: import { fileURLToPath } from 'node:url';
High
Child Process

Package source references child process execution.

scripts/postinstall.mjsView on unpkg · L12
3/** L4: * After `npm install -g`, automatically install the skill into every detected AI coding tool. L5: * ... L12: import { homedir } from 'node:os'; L13: import { execFileSync } from 'node:child_process'; L14: import { fileURLToPath } from 'node:url';
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

scripts/postinstall.mjsView on unpkg · L3
src/okx-wallet.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = @aeon-ai-pay/aigateway@0.4.4 matchedIdentity = npm:QGFlb24tYWktcGF5L2FpZ2F0ZXdheQ:0.4.4 similarity = 0.393 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/okx-wallet.mjsView on unpkg
63const [cmd, ...args] = isWin L64: ? ['powershell', '-Command', 'irm https://raw.githubusercontent.com/okx/onchainos-skills/main/install.ps1 | iex'] L65: : ['sh', '-c', 'curl -sSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh'];
High
Shell

Package source references shell execution.

src/okx-wallet.mjsView on unpkg · L63
7*/ L8: import { execFile, spawn } from 'node:child_process'; L9: import { promisify } from 'node:util'; ... L15: const config = loadConfig(); L16: const env = { ...process.env }; L17: if (config.okxApiKey && !env.OKX_API_KEY) env.OKX_API_KEY = config.okxApiKey; ... L24: try { L25: const { stdout } = await execFileAsync('onchainos', args, { L26: env: buildEnv(), ... L30: try { L31: return JSON.parse(text); L32: } catch {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

src/okx-wallet.mjsView on unpkg · L7
src/assets/fonts/sf-pro-display_medium_500.woff2View file
path = src/assets/fonts/sf-pro-display_medium_500.woff2 kind = high_entropy_blob sizeBytes = 231128 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

src/assets/fonts/sf-pro-display_medium_500.woff2View on unpkg

Findings

2 Critical6 High4 Medium4 Low
CriticalAi Agent Control Hijackscripts/postinstall.mjs
CriticalPrevious Version Dangerous Deltasrc/okx-wallet.mjs
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processscripts/postinstall.mjs
HighShellsrc/okx-wallet.mjs
HighSandbox Evasion Gated Capabilitysrc/okx-wallet.mjs
HighRuntime Package Installscripts/postinstall.mjs
HighShips High Entropy Blobsrc/assets/fonts/sf-pro-display_medium_500.woff2
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings