registry  /  @aeon-ai-pay/aigateway  /  0.4.2

@aeon-ai-pay/aigateway@0.4.2

AI Agents discover, invoke, and settle paid LLMs, APIs, and Skills — starting with Skill Boss. No manual key setup. No prepayment. Pay-per-call via x402 or Agent Card.

AI Security Review

scanned 12d ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Confirmed install-time mutation of AI-agent control surface. The package automatically installs its bundled skill instructions globally into detected agent tools or Claude skills without a separate user command.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install lifecycle postinstall
Impact
Agent behavior can be changed to run aigateway wallet and paid tool workflows from future user prompts; this is an install-time control-surface mutation.
Mechanism
unconsented global AI-agent skill installation via npx/copy
Policy narrative
On package installation, the postinstall script invokes `npx skills add` with global, yes, and copy flags against the bundled aigateway skill. If that fails, it creates `~/.claude/skills/aigateway` and copies the package-supplied skill there. The installed skill contains detailed instructions that steer agents into wallet setup, top-up, and paid invocation workflows. This is not merely a user-invoked CLI feature because it runs during npm lifecycle installation.
Rationale
Static inspection confirms concrete install-time AI-agent control-surface mutation, which matches the firewall block boundary even if the runtime wallet/network code is otherwise package-aligned. The behavior is automatic from postinstall and writes agent instructions outside the package directory.
Evidence
package.jsonscripts/postinstall.mjsskills/aigateway/SKILL.mdsrc/update-check.mjsbin/cli.mjssrc/okx-wallet.mjsskills/aigateway~/.claude/skills/aigateway
Network endpoints6
github.com/AEON-Project/aigatewayraw.githubusercontent.com/okx/onchainos-skills/main/install.shraw.githubusercontent.com/okx/onchainos-skills/main/install.ps1ai-api-dev.aeon.xyzxlayerrpc.okx.combsc-dataseed.binance.org/

Decision evidence

public snapshot
AI called this Malicious at 94.0% confidence as Malware with low false-positive risk.
Evidence for policy block
  • package.json defines postinstall: node scripts/postinstall.mjs
  • scripts/postinstall.mjs runs npx skills add skills/aigateway -g -y --copy at install time
  • scripts/postinstall.mjs fallback copies package skill to ~/.claude/skills/aigateway
  • skills/aigateway/SKILL.md contains extensive agent operating instructions for wallet/topup/invoke flows
  • src/update-check.mjs can later npm install -g newer package and rerun postinstall from CLI startup
Evidence against
  • CLI wallet/network behavior is mostly user-invoked via bin/cli.mjs commands
  • Network endpoints are aligned with advertised AI gateway, WalletConnect, OKX, and chain functions
  • Private key/env handling appears tied to wallet operations and local config rather than broad credential harvesting
  • No obfuscated source or hidden binary execution found in inspected hot files
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 28 file(s), 191 KB of source, external domains: 127.0.0.1, ai-api-dev.aeon.xyz, bsc-dataseed.binance.org, cdn.jsdelivr.net, github.com, nodejs.org, raw.githubusercontent.com, www.w3.org, xlayerrpc.okx.com

Source & flagged code

8 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts/postinstall.mjsView file
9Install-time AI-agent control hijack evidence: L9: L10: import { cpSync, existsSync, mkdirSync } from 'node:fs'; L11: import { join, dirname } from 'node:path'; ... L36: // Fallback: copy manually into Claude Code L37: const dest = join(homedir(), '.claude', 'skills', 'aigateway'); L38: mkdirSync(dirname(dest), { recursive: true }); L39: cpSync(skillSrc, dest, { recursive: true, force: true }); L40: console.log(`✔ aigateway skill installed to ${dest} (fallback)`); Payload evidence from templates/codex/AGENTS.md: L11: L12: `wallet-init` returns an envelope on stdout; `envelope.data.ready === true` means ready. If `envelope.data.needsTopup === true`, run `wallet-topup` next. L13: ... L64: L65: - **Never** prompt for private keys. The CLI auto-generates a local session wallet. L66: - **Never** hard-code model ids in prompts — vendors rename. Always pull from `aigateway sb tools` first.
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/postinstall.mjsView on unpkg · L9
12import { homedir } from 'node:os'; L13: import { execFileSync } from 'node:child_process'; L14: import { fileURLToPath } from 'node:url';
High
Child Process

Package source references child process execution.

scripts/postinstall.mjsView on unpkg · L12
3/** L4: * After `npm install -g`, automatically install the skill into every detected AI coding tool. L5: * ... L12: import { homedir } from 'node:os'; L13: import { execFileSync } from 'node:child_process'; L14: import { fileURLToPath } from 'node:url';
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

scripts/postinstall.mjsView on unpkg · L3
src/okx-wallet.mjsView file
63const [cmd, ...args] = isWin L64: ? ['powershell', '-Command', 'irm https://raw.githubusercontent.com/okx/onchainos-skills/main/install.ps1 | iex'] L65: : ['sh', '-c', 'curl -sSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh'];
High
Shell

Package source references shell execution.

src/okx-wallet.mjsView on unpkg · L63
7*/ L8: import { execFile, spawn } from 'node:child_process'; L9: import { promisify } from 'node:util'; ... L15: const config = loadConfig(); L16: const env = { ...process.env }; L17: if (config.okxApiKey && !env.OKX_API_KEY) env.OKX_API_KEY = config.okxApiKey; ... L24: try { L25: const { stdout } = await execFileAsync('onchainos', args, { L26: env: buildEnv(), ... L30: try { L31: return JSON.parse(text); L32: } catch {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

src/okx-wallet.mjsView on unpkg · L7
src/assets/fonts/sf-pro-display_medium_500.woff2View file
path = src/assets/fonts/sf-pro-display_medium_500.woff2 kind = high_entropy_blob sizeBytes = 231128 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

src/assets/fonts/sf-pro-display_medium_500.woff2View on unpkg

Findings

1 Critical6 High4 Medium4 Low
CriticalAi Agent Control Hijackscripts/postinstall.mjs
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processscripts/postinstall.mjs
HighShellsrc/okx-wallet.mjs
HighSandbox Evasion Gated Capabilitysrc/okx-wallet.mjs
HighRuntime Package Installscripts/postinstall.mjs
HighShips High Entropy Blobsrc/assets/fonts/sf-pro-display_medium_500.woff2
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings