registry  /  @aeon-ai-pay/aigateway  /  0.4.5

@aeon-ai-pay/aigateway@0.4.5

AI Agents discover, invoke, and settle paid LLMs, APIs, and Skills — starting with Skill Boss. No manual key setup. No prepayment. Pay-per-call via x402 or Agent Card.

AI Security Review

scanned 12d ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. The package mutates AI-agent control surfaces during npm postinstall by globally installing a bundled agent skill. The installed skill can steer future AI-agent behavior toward wallet and payment commands.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review; previous stored version diff introduced dangerous source
Trigger
npm install lifecycle postinstall
Impact
Unconsented agent-control configuration change outside node_modules; future agent sessions may follow package-supplied wallet/payment instructions.
Mechanism
install-time AI-agent skill installation
Policy narrative
Installing the package automatically runs scripts/postinstall.mjs. That script invokes npx skills add with -g and --copy to install the package's bundled AI-agent skill into detected tools, or copies it directly into ~/.claude/skills/aigateway as fallback. The skill contains operational instructions that alter how future AI-agent sessions invoke wallet and payment flows.
Rationale
Source inspection confirms unconsented lifecycle mutation of AI-agent control files, which is a concrete firewall block condition independent of whether the wallet features are otherwise package-aligned. No credential theft was found, but the postinstall agent-control write is sufficient for a malicious verdict.
Evidence
package.jsonscripts/postinstall.mjsskills/aigateway/SKILL.mdbin/cli.mjssrc/update-check.mjssrc/okx-wallet.mjssrc/config.mjs~/.claude/skills/aigatewayskills/aigatewayglobal AI tool skill locations managed by npx skills add
Network endpoints4
github.com/AEON-Project/aigatewayai-api-dev.aeon.xyzraw.githubusercontent.com/okx/onchainos-skills/main/install.shraw.githubusercontent.com/okx/onchainos-skills/main/install.ps1

Decision evidence

public snapshot
AI called this Malicious at 95.0% confidence as Malware with low false-positive risk.
Evidence for policy block
  • package.json defines postinstall: node scripts/postinstall.mjs
  • scripts/postinstall.mjs runs npx skills add <package skill> -g -y --copy during install
  • scripts/postinstall.mjs fallback copies bundled skill into ~/.claude/skills/aigateway
  • skills/aigateway/SKILL.md contains agent instructions to run aigateway wallet-init first and drive wallet/payment flows
  • bin/cli.mjs imports update-check, which can npm install -g a newer package and rerun postinstall on normal CLI startup
Evidence against
  • No install-time credential/env harvesting found in scripts/postinstall.mjs
  • Runtime wallet and x402 commands are advertised package functionality and user-invoked
  • No obfuscated eval/vm/native binary loader found in inspected source
  • Network endpoints mostly align with payment gateway, catalog, update, WalletConnect, and OKX installer behavior
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 28 file(s), 192 KB of source, external domains: 127.0.0.1, ai-api-dev.aeon.xyz, bsc-dataseed.binance.org, cdn.jsdelivr.net, github.com, nodejs.org, raw.githubusercontent.com, www.w3.org, xlayerrpc.okx.com

Source & flagged code

11 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts/postinstall.mjsView file
9Install-time AI-agent control hijack evidence: L9: L10: import { cpSync, existsSync, mkdirSync } from 'node:fs'; L11: import { join, dirname } from 'node:path'; ... L36: // Fallback: copy manually into Claude Code L37: const dest = join(homedir(), '.claude', 'skills', 'aigateway'); L38: mkdirSync(dirname(dest), { recursive: true }); L39: cpSync(skillSrc, dest, { recursive: true, force: true }); L40: console.log(`✔ aigateway skill installed to ${dest} (fallback)`); Payload evidence from templates/codex/AGENTS.md: L11: L12: `wallet-init` returns an envelope on stdout; `envelope.data.ready === true` means ready. If `envelope.data.needsTopup === true`, run `wallet-topup` next. L13: ... L64: L65: - **Never** prompt for private keys. The CLI auto-generates a local session wallet. L66: - **Never** hard-code model ids in prompts — vendors rename. Always pull from `aigateway sb tools` first.
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/postinstall.mjsView on unpkg · L9
12import { homedir } from 'node:os'; L13: import { execFileSync } from 'node:child_process'; L14: import { fileURLToPath } from 'node:url';
High
Child Process

Package source references child process execution.

scripts/postinstall.mjsView on unpkg · L12
3/** L4: * After `npm install -g`, automatically install the skill into every detected AI coding tool. L5: * ... L12: import { homedir } from 'node:os'; L13: import { execFileSync } from 'node:child_process'; L14: import { fileURLToPath } from 'node:url';
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

scripts/postinstall.mjsView on unpkg · L3
src/okx-wallet.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = @aeon-ai-pay/aigateway@0.4.3 matchedIdentity = npm:QGFlb24tYWktcGF5L2FpZ2F0ZXdheQ:0.4.3 similarity = 0.929 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

src/okx-wallet.mjsView on unpkg
63const [cmd, ...args] = isWin L64: ? ['powershell', '-Command', 'irm https://raw.githubusercontent.com/okx/onchainos-skills/main/install.ps1 | iex'] L65: : ['sh', '-c', 'curl -sSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh'];
High
Shell

Package source references shell execution.

src/okx-wallet.mjsView on unpkg · L63
7*/ L8: import { execFile, spawn } from 'node:child_process'; L9: import { promisify } from 'node:util'; ... L15: const config = loadConfig(); L16: const env = { ...process.env }; L17: if (config.okxApiKey && !env.OKX_API_KEY) env.OKX_API_KEY = config.okxApiKey; ... L24: try { L25: const { stdout } = await execFileAsync('onchainos', args, { L26: env: buildEnv(), ... L30: try { L31: return JSON.parse(text); L32: } catch {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

src/okx-wallet.mjsView on unpkg · L7
matchType = token_shingles matchedPackage = @aeon-ai-pay/aigateway@0.4.2 matchedPath = src/okx-wallet.mjs matchedIdentity = npm:QGFlb24tYWktcGF5L2FpZ2F0ZXdheQ:0.4.2 similarity = 1.000 shingleOverlap = 48 summary = source token shingles overlapped finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

src/okx-wallet.mjsView on unpkg
src/assets/fonts/sf-pro-display_medium_500.woff2View file
path = src/assets/fonts/sf-pro-display_medium_500.woff2 kind = high_entropy_blob sizeBytes = 231128 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

src/assets/fonts/sf-pro-display_medium_500.woff2View on unpkg
src/walletconnect.mjsView file
matchType = normalized_sha256 matchedPackage = @aeon-ai-pay/aigateway@0.4.2 matchedPath = src/walletconnect.mjs matchedIdentity = npm:QGFlb24tYWktcGF5L2FpZ2F0ZXdheQ:0.4.2 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

src/walletconnect.mjsView on unpkg

Findings

2 Critical8 High4 Medium4 Low
CriticalAi Agent Control Hijackscripts/postinstall.mjs
CriticalPrevious Version Dangerous Deltasrc/okx-wallet.mjs
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processscripts/postinstall.mjs
HighShellsrc/okx-wallet.mjs
HighSandbox Evasion Gated Capabilitysrc/okx-wallet.mjs
HighRuntime Package Installscripts/postinstall.mjs
HighShips High Entropy Blobsrc/assets/fonts/sf-pro-display_medium_500.woff2
HighKnown Malware Source Similaritysrc/okx-wallet.mjs
HighKnown Malware Source Similaritysrc/walletconnect.mjs
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings