registry  /  @aeon-ai-pay/aigateway  /  0.4.4

@aeon-ai-pay/aigateway@0.4.4

AI Agents discover, invoke, and settle paid LLMs, APIs, and Skills — starting with Skill Boss. No manual key setup. No prepayment. Pay-per-call via x402 or Agent Card.

AI Security Review

scanned 12d ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. The package modifies AI-agent control surfaces during npm install by installing its bundled skill globally or into Claude Code. That skill can steer future agent behavior toward installing/running aigateway and initiating wallet/payment flows without the user invoking the CLI first.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review; source fingerprint signature matched known malicious package; routed for review; previous stored version diff introduced dangerous source
Trigger
npm install lifecycle postinstall
Impact
Future AI-agent sessions may be influenced to run package commands, install the package globally, and enter wallet/payment flows.
Mechanism
unconsented AI-agent skill/control-surface installation
Policy narrative
On installation, the postinstall script does not merely set up the package CLI; it installs a package-supplied AI-agent skill globally via `npx skills add` or copies it into Claude Code. The installed skill contains operational instructions for agents to run aigateway prechecks, install the package if absent, and guide users through wallet/payment flows, creating an unconsented persistent agent control-surface change.
Rationale
Source inspection confirms install-time AI-agent control-surface mutation independent of explicit user CLI invocation. Other wallet and network primitives appear product-aligned, but the lifecycle skill installation is sufficient to block. Product guard normalized a non-low false-positive publish_block request to warn-only suspicious.
Evidence
package.jsonscripts/postinstall.mjsskills/aigateway/SKILL.mdbin/cli.mjssrc/okx-wallet.mjssrc/walletconnect.mjs~/.claude/skills/aigatewayskills/aigateway
Network endpoints2
raw.githubusercontent.com/okx/onchainos-skills/main/install.shraw.githubusercontent.com/okx/onchainos-skills/main/install.ps1

Decision evidence

public snapshot
AI called this Suspicious at 92.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for policy block
  • scripts/postinstall.mjs install-time runs npx skills add -g -y --copy on package skill.
  • scripts/postinstall.mjs fallback copies skills/aigateway to ~/.claude/skills/aigateway.
  • skills/aigateway/SKILL.md instructs agents to run wallet-init unconditionally and npm install -g if missing.
  • skills/aigateway/SKILL.md instructs paid x402 calls and OKX wallet authentication flows.
Evidence against
  • package.json exposes a CLI for wallet and paid AI gateway operations; network/payment behavior is package-aligned.
  • bin/cli.mjs imports command modules only on explicit command actions.
  • src/okx-wallet.mjs wraps onchainos for user wallet login/sign/send, aligned with documented wallet mode.
  • No credential harvesting/exfiltration or destructive filesystem behavior confirmed in inspected files.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 28 file(s), 192 KB of source, external domains: 127.0.0.1, ai-api-dev.aeon.xyz, bsc-dataseed.binance.org, cdn.jsdelivr.net, github.com, nodejs.org, raw.githubusercontent.com, www.w3.org, xlayerrpc.okx.com

Source & flagged code

12 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts/postinstall.mjsView file
9Install-time AI-agent control hijack evidence: L9: L10: import { cpSync, existsSync, mkdirSync } from 'node:fs'; L11: import { join, dirname } from 'node:path'; ... L36: // Fallback: copy manually into Claude Code L37: const dest = join(homedir(), '.claude', 'skills', 'aigateway'); L38: mkdirSync(dirname(dest), { recursive: true }); L39: cpSync(skillSrc, dest, { recursive: true, force: true }); L40: console.log(`✔ aigateway skill installed to ${dest} (fallback)`); Payload evidence from templates/codex/AGENTS.md: L11: L12: `wallet-init` returns an envelope on stdout; `envelope.data.ready === true` means ready. If `envelope.data.needsTopup === true`, run `wallet-topup` next. L13: ... L64: L65: - **Never** prompt for private keys. The CLI auto-generates a local session wallet. L66: - **Never** hard-code model ids in prompts — vendors rename. Always pull from `aigateway sb tools` first.
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/postinstall.mjsView on unpkg · L9
12import { homedir } from 'node:os'; L13: import { execFileSync } from 'node:child_process'; L14: import { fileURLToPath } from 'node:url';
High
Child Process

Package source references child process execution.

scripts/postinstall.mjsView on unpkg · L12
3/** L4: * After `npm install -g`, automatically install the skill into every detected AI coding tool. L5: * ... L12: import { homedir } from 'node:os'; L13: import { execFileSync } from 'node:child_process'; L14: import { fileURLToPath } from 'node:url';
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

scripts/postinstall.mjsView on unpkg · L3
src/okx-wallet.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = @aeon-ai-pay/aigateway@0.4.3 matchedIdentity = npm:QGFlb24tYWktcGF5L2FpZ2F0ZXdheQ:0.4.3 similarity = 0.929 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

src/okx-wallet.mjsView on unpkg
63const [cmd, ...args] = isWin L64: ? ['powershell', '-Command', 'irm https://raw.githubusercontent.com/okx/onchainos-skills/main/install.ps1 | iex'] L65: : ['sh', '-c', 'curl -sSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh'];
High
Shell

Package source references shell execution.

src/okx-wallet.mjsView on unpkg · L63
7*/ L8: import { execFile, spawn } from 'node:child_process'; L9: import { promisify } from 'node:util'; ... L15: const config = loadConfig(); L16: const env = { ...process.env }; L17: if (config.okxApiKey && !env.OKX_API_KEY) env.OKX_API_KEY = config.okxApiKey; ... L24: try { L25: const { stdout } = await execFileAsync('onchainos', args, { L26: env: buildEnv(), ... L30: try { L31: return JSON.parse(text); L32: } catch {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

src/okx-wallet.mjsView on unpkg · L7
matchType = normalized_sha256 matchedPackage = @aeon-ai-pay/aigateway@0.4.5 matchedPath = src/okx-wallet.mjs matchedIdentity = npm:QGFlb24tYWktcGF5L2FpZ2F0ZXdheQ:0.4.5 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

src/okx-wallet.mjsView on unpkg
matchType = malicious_source_fingerprint_signature signature = 2795040410f5b7d6 signatureType = suspicious_hashes sourceLabel = final_verdict:malicious matchedPackage = @aeon-ai-pay/aigateway@0.4.5 matchedPath = src/okx-wallet.mjs matchedIdentity = npm:QGFlb24tYWktcGF5L2FpZ2F0ZXdheQ:0.4.5 similarity = 1.000 shingleOverlap = 20 summary = package final verdict is malicious
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

src/okx-wallet.mjsView on unpkg
src/assets/fonts/sf-pro-display_medium_500.woff2View file
path = src/assets/fonts/sf-pro-display_medium_500.woff2 kind = high_entropy_blob sizeBytes = 231128 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

src/assets/fonts/sf-pro-display_medium_500.woff2View on unpkg
src/walletconnect.mjsView file
matchType = normalized_sha256 matchedPackage = @aeon-ai-pay/aigateway@0.4.5 matchedPath = src/walletconnect.mjs matchedIdentity = npm:QGFlb24tYWktcGF5L2FpZ2F0ZXdheQ:0.4.5 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

src/walletconnect.mjsView on unpkg

Findings

2 Critical9 High4 Medium4 Low
CriticalAi Agent Control Hijackscripts/postinstall.mjs
CriticalPrevious Version Dangerous Deltasrc/okx-wallet.mjs
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processscripts/postinstall.mjs
HighShellsrc/okx-wallet.mjs
HighSandbox Evasion Gated Capabilitysrc/okx-wallet.mjs
HighRuntime Package Installscripts/postinstall.mjs
HighShips High Entropy Blobsrc/assets/fonts/sf-pro-display_medium_500.woff2
HighKnown Malware Source Similaritysrc/okx-wallet.mjs
HighKnown Malware Source Similaritysrc/walletconnect.mjs
HighKnown Malware Source Fingerprint Signaturesrc/okx-wallet.mjs
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings