registry  /  @aiden-ade/sandbox-agent  /  0.1.27

@aiden-ade/sandbox-agent@0.1.27

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Package provides a user-invoked Aiden runtime daemon that can receive remote tasks and launch local AI agent CLIs. This is a dangerous agent-control capability, but source inspection did not find unconsented install-time hijacking or credential exfiltration.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs aiden-agent setup/login and then aiden-agent daemon, or Aiden launches run-session with AIDEN_* env vars.
Impact
Registered Aiden control plane can cause local agent execution in the configured workspace with inherited environment and optional skipped permissions.
Mechanism
remote websocket-controlled local AI CLI runner
Attack narrative
After explicit setup/login, the daemon stores runtime tokens locally, connects to Aiden websocket endpoints, accepts agent.execute messages, and launches local provider CLIs to work in the selected project. Some backends may be invoked with permission-bypass flags. This is package-aligned but high-risk remote agent orchestration, not an install-time takeover.
Rationale
The package contains real remote agent execution and self-update capabilities, so a warn verdict is appropriate. It lacks lifecycle hooks or unconsented writes to broad/foreign AI-agent control surfaces, and the network endpoints and config files are aligned with the Aiden runtime product.
Evidence
package.jsondist/index.cjsdist/index.jsdist/core-agent.jsdist/updater.js~/.aiden/agent/config.json~/.aiden/agent/endpoints.json<projectPath>-aiden-worktrees/temporary attachment/image files under runtime cwd
Network endpoints6
api.aiden-platform.comwss://ws.aiden-platform.comlocalhost:8400ws://localhost:8401127.0.0.1:<localApiPort>/status127.0.0.1:<localApiPort>/shutdown

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/index.cjs exposes setup/login/daemon commands for a durable Aiden runtime.
  • dist/index.cjs daemon connects to configured WS and accepts remote agent.execute payloads.
  • dist/index.cjs launches local AI CLIs including claude/codex/cursor/opencode/gemini from remote run payloads.
  • dist/index.cjs can pass --dangerously-skip-permissions to supported backends when not read-only.
  • dist/updater.js can run npm install -g @aiden-ade/sandbox-agent@<version> and respawn aiden-agent.
Evidence against
  • package.json has no npm lifecycle hooks; bin is user-invoked ./dist/index.cjs.
  • setup/login require explicit command plus setup token, PAT, or browser device approval before durable daemon config is written.
  • Config writes are scoped to ~/.aiden/agent/config.json unless overridden by AIDEN_AGENT_CONFIG_PATH.
  • No evidence of install-time writes to foreign AI control surfaces such as .mcp.json, CLAUDE.md, or Claude/Codex settings.
  • Scanner remote decode/execute hit is bundled xmlhttprequest-ssl sync request code, not package-specific payload loading.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 10 file(s), 534 KB of source, external domains: 127.0.0.1, api.aiden-platform.com, developer.mozilla.org, opencode.ai, socket.io, stackoverflow.com

Source & flagged code

5 flagged · loading source
dist/updater.jsView file
4*/ L5: import { execSync, spawn } from "node:child_process"; L6: const DEFAULT_PATH = "/home/user/.local/node/bin:/home/user/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin";
High
Child Process

Package source references child process execution.

dist/updater.jsView on unpkg · L4
18console.info(`[updater] Installing @aiden-ade/sandbox-agent@${version} via npm`); L19: execSync(`npm install -g @aiden-ade/sandbox-agent@${version}`, { L20: timeout: 60_000,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/updater.jsView on unpkg · L18
dist/index.cjsView file
32L33: // ../../node_modules/xmlhttprequest-ssl/lib/XMLHttpRequest.js L34: var require_XMLHttpRequest = __commonJS({ ... L38: var Url = require("url"); L39: var spawn3 = require("child_process").spawn; L40: module2.exports = XMLHttpRequest3; ... L199: self.status = 200; L200: self.responseText = data2.toString("utf8"); L201: self.response = data2; ... L288: request = doRequest(newOptions, responseHandler).on("error", errorHandler); L289: request.end(); L290: return;
Critical
Remote Asset Decode Execute

Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.

dist/index.cjsView on unpkg · L32
Trigger-reachable chain: manifest.bin -> dist/index.cjs Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.cjsView on unpkg
32L33: // ../../node_modules/xmlhttprequest-ssl/lib/XMLHttpRequest.js L34: var require_XMLHttpRequest = __commonJS({ ... L38: var Url = require("url"); L39: var spawn3 = require("child_process").spawn; L40: module2.exports = XMLHttpRequest3; ... L199: self.status = 200; L200: self.responseText = data2.toString("utf8"); L201: self.response = data2; ... L288: request = doRequest(newOptions, responseHandler).on("error", errorHandler); L289: request.end(); L290: return;
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/index.cjsView on unpkg · L32

Findings

2 Critical3 High3 Medium6 Low
CriticalRemote Asset Decode Executedist/index.cjs
CriticalTrigger Reachable Dangerous Capabilitydist/index.cjs
HighChild Processdist/updater.js
HighShell
HighRuntime Package Installdist/updater.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/index.cjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License