registry  /  @aiden-ade/sandbox-agent  /  0.1.25

@aiden-ade/sandbox-agent@0.1.25

AI Security Review

scanned 2d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is an Aiden agent CLI/daemon that can run local AI provider CLIs and connect to Aiden WebSocket endpoints after user setup or AIDEN_* runtime launch.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs aiden-agent setup/login/daemon or Aiden launches run-session with required AIDEN_* env vars
Impact
Package-aligned remote agent execution in the configured workspace; no install-time execution or covert exfiltration confirmed
Mechanism
authenticated agent runtime command relay
Rationale
Static inspection shows a high-privilege agent runtime, but the risky primitives are user-invoked and aligned with the package purpose, with authenticated Aiden endpoints and no lifecycle execution, covert payload execution, or unconsented control-surface mutation found. The updater and credential reads are concerning primitives but either appear unreachable from the entrypoint or are used for provider-limit metadata rather than exfiltration.
Evidence
package.jsondist/index.cjsdist/index.jsdist/core-agent.jsdist/sandbox.jsdist/updater.js~/.aiden/agent/config.json~/.aiden/agent/endpoints.json~/.claude/.credentials.json
Network endpoints7
api.aiden-platform.comwss://ws.aiden-platform.comlocalhost:8400ws://localhost:8401127.0.0.1:<port>/status127.0.0.1:<port>/shutdownapi.anthropic.com/api/oauth/usage

Decision evidence

public snapshot
AI called this Clean at 78.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/index.cjs:13220 daemon accepts authenticated WS agent.execute payloads and runs CoreAgent on requested projectPath
  • dist/core-agent.js:84 inherits process.env into provider CLI environment
  • dist/index.cjs:5070 reads Claude credentials to query Anthropic usage; dist/index.cjs:4992 spawns codex read-only app-server for rate limits
  • dist/updater.js has npm global self-update helpers, though no reachable caller found in entrypoint
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks
  • package.json bin points to dist/index.cjs; execution requires user CLI invocation or AIDEN_* session env
  • dist/index.cjs setup/login writes Aiden runtime config only after explicit setup/login/device auth
  • Network endpoints are Aiden/localhost/Anthropic usage APIs and align with agent runtime functions
  • No eval/new Function or remote asset decode-and-execute found; scanner hit is bundled xmlhttprequest sync helper/base64 transport code
  • dist/updater.js installUpdate/respawnAgent are not referenced from dist/index.cjs or JS entry files
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 10 file(s), 508 KB of source, external domains: 127.0.0.1, developer.mozilla.org, opencode.ai, socket.io, stackoverflow.com

Source & flagged code

5 flagged · loading source
dist/updater.jsView file
4*/ L5: import { execSync, spawn } from "node:child_process"; L6: const DEFAULT_PATH = "/home/user/.local/node/bin:/home/user/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin";
High
Child Process

Package source references child process execution.

dist/updater.jsView on unpkg · L4
18console.info(`[updater] Installing @aiden-ade/sandbox-agent@${version} via npm`); L19: execSync(`npm install -g @aiden-ade/sandbox-agent@${version}`, { L20: timeout: 60_000,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/updater.jsView on unpkg · L18
dist/index.cjsView file
32L33: // ../../node_modules/xmlhttprequest-ssl/lib/XMLHttpRequest.js L34: var require_XMLHttpRequest = __commonJS({ ... L38: var Url = require("url"); L39: var spawn3 = require("child_process").spawn; L40: module2.exports = XMLHttpRequest3; ... L199: self.status = 200; L200: self.responseText = data2.toString("utf8"); L201: self.response = data2; ... L288: request = doRequest(newOptions, responseHandler).on("error", errorHandler); L289: request.end(); L290: return;
Critical
Remote Asset Decode Execute

Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.

dist/index.cjsView on unpkg · L32
Trigger-reachable chain: manifest.bin -> dist/index.cjs Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.cjsView on unpkg
32L33: // ../../node_modules/xmlhttprequest-ssl/lib/XMLHttpRequest.js L34: var require_XMLHttpRequest = __commonJS({ ... L38: var Url = require("url"); L39: var spawn3 = require("child_process").spawn; L40: module2.exports = XMLHttpRequest3; ... L199: self.status = 200; L200: self.responseText = data2.toString("utf8"); L201: self.response = data2; ... L288: request = doRequest(newOptions, responseHandler).on("error", errorHandler); L289: request.end(); L290: return;
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/index.cjsView on unpkg · L32

Findings

2 Critical3 High3 Medium6 Low
CriticalRemote Asset Decode Executedist/index.cjs
CriticalTrigger Reachable Dangerous Capabilitydist/index.cjs
HighChild Processdist/updater.js
HighShell
HighRuntime Package Installdist/updater.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/index.cjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License