registry  /  @aeon-ai-pay/aigateway  /  0.4.3

@aeon-ai-pay/aigateway@0.4.3

AI Agents discover, invoke, and settle paid LLMs, APIs, and Skills — starting with Skill Boss. No manual key setup. No prepayment. Pay-per-call via x402 or Agent Card.

AI Security Review

scanned 12d ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. The package mutates AI-agent control surfaces during npm install. It globally installs a bundled skill into detected agent tools or copies it into Claude skills without an explicit user command beyond package installation.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install or npm install -g runs package postinstall; later CLI startup may rerun postinstall after auto-update.
Impact
AI agents may follow package-supplied instructions and invoke paid aigateway wallet/tool commands; package-controlled skill updates can be propagated globally.
Mechanism
unconsented lifecycle AI-agent skill installation
Policy narrative
On installation, the postinstall hook runs npx skills add against the bundled skills/aigateway directory with global and yes flags, or directly copies that skill to ~/.claude/skills/aigateway. That is a package-supplied AI-agent instruction set installed outside normal package boundaries without a separate user opt-in. The CLI also has an update path that can globally npm install a newer version and rerun postinstall, preserving the control-surface mutation behavior.
Rationale
Static source inspection confirms install-time, package-controlled AI-agent skill installation via lifecycle hook, which is an unconsented agent control-surface mutation. Other risky crypto, shell, and network primitives are mostly product-aligned, but they do not neutralize the install-time agent hijack behavior. Product guard normalized a non-low false-positive publish_block request to warn-only suspicious.
Evidence
package.jsonscripts/postinstall.mjsskills/aigateway/SKILL.mdsrc/update-check.mjssrc/okx-wallet.mjssrc/config.mjsskills/aigateway~/.claude/skills/aigateway
Network endpoints5
raw.githubusercontent.com/okx/onchainos-skills/main/install.shraw.githubusercontent.com/okx/onchainos-skills/main/install.ps1ai-api-dev.aeon.xyzxlayerrpc.okx.combsc-dataseed.binance.org/

Decision evidence

public snapshot
AI called this Suspicious at 93.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for policy block
  • package.json defines postinstall: node scripts/postinstall.mjs
  • scripts/postinstall.mjs runs npx skills add skills/aigateway -g -y --copy at install time
  • scripts/postinstall.mjs fallback copies package skill into ~/.claude/skills/aigateway
  • skills/aigateway/SKILL.md contains agent instructions that make agents run aigateway wallet-init before tool use
  • src/update-check.mjs can npm install -g a newer package and rerun postinstall on CLI startup
  • src/okx-wallet.mjs can execute remote OKX installer via curl|sh or PowerShell, but only during wallet-mode use
Evidence against
  • No import-time payload beyond CLI update check; dangerous wallet/network flows are command-driven
  • No source evidence of credential harvesting or exfiltration beyond documented wallet/config use
  • Network endpoints are aligned with AI gateway, blockchain RPC, npm update, WalletConnect/OKX functionality
  • High-entropy woff2/png assets appear to be fonts/images, not executed code
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 28 file(s), 191 KB of source, external domains: 127.0.0.1, ai-api-dev.aeon.xyz, bsc-dataseed.binance.org, cdn.jsdelivr.net, github.com, nodejs.org, raw.githubusercontent.com, www.w3.org, xlayerrpc.okx.com

Source & flagged code

8 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts/postinstall.mjsView file
9Install-time AI-agent control hijack evidence: L9: L10: import { cpSync, existsSync, mkdirSync } from 'node:fs'; L11: import { join, dirname } from 'node:path'; ... L36: // Fallback: copy manually into Claude Code L37: const dest = join(homedir(), '.claude', 'skills', 'aigateway'); L38: mkdirSync(dirname(dest), { recursive: true }); L39: cpSync(skillSrc, dest, { recursive: true, force: true }); L40: console.log(`✔ aigateway skill installed to ${dest} (fallback)`); Payload evidence from templates/codex/AGENTS.md: L11: L12: `wallet-init` returns an envelope on stdout; `envelope.data.ready === true` means ready. If `envelope.data.needsTopup === true`, run `wallet-topup` next. L13: ... L64: L65: - **Never** prompt for private keys. The CLI auto-generates a local session wallet. L66: - **Never** hard-code model ids in prompts — vendors rename. Always pull from `aigateway sb tools` first.
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/postinstall.mjsView on unpkg · L9
12import { homedir } from 'node:os'; L13: import { execFileSync } from 'node:child_process'; L14: import { fileURLToPath } from 'node:url';
High
Child Process

Package source references child process execution.

scripts/postinstall.mjsView on unpkg · L12
3/** L4: * After `npm install -g`, automatically install the skill into every detected AI coding tool. L5: * ... L12: import { homedir } from 'node:os'; L13: import { execFileSync } from 'node:child_process'; L14: import { fileURLToPath } from 'node:url';
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

scripts/postinstall.mjsView on unpkg · L3
src/okx-wallet.mjsView file
63const [cmd, ...args] = isWin L64: ? ['powershell', '-Command', 'irm https://raw.githubusercontent.com/okx/onchainos-skills/main/install.ps1 | iex'] L65: : ['sh', '-c', 'curl -sSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh'];
High
Shell

Package source references shell execution.

src/okx-wallet.mjsView on unpkg · L63
7*/ L8: import { execFile, spawn } from 'node:child_process'; L9: import { promisify } from 'node:util'; ... L15: const config = loadConfig(); L16: const env = { ...process.env }; L17: if (config.okxApiKey && !env.OKX_API_KEY) env.OKX_API_KEY = config.okxApiKey; ... L24: try { L25: const { stdout } = await execFileAsync('onchainos', args, { L26: env: buildEnv(), ... L30: try { L31: return JSON.parse(text); L32: } catch {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

src/okx-wallet.mjsView on unpkg · L7
src/assets/fonts/sf-pro-display_medium_500.woff2View file
path = src/assets/fonts/sf-pro-display_medium_500.woff2 kind = high_entropy_blob sizeBytes = 231128 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

src/assets/fonts/sf-pro-display_medium_500.woff2View on unpkg

Findings

1 Critical6 High4 Medium4 Low
CriticalAi Agent Control Hijackscripts/postinstall.mjs
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processscripts/postinstall.mjs
HighShellsrc/okx-wallet.mjs
HighSandbox Evasion Gated Capabilitysrc/okx-wallet.mjs
HighRuntime Package Installscripts/postinstall.mjs
HighShips High Entropy Blobsrc/assets/fonts/sf-pro-display_medium_500.woff2
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings