registry  /  @aiden-ade/sandbox-agent  /  0.1.31

@aiden-ade/sandbox-agent@0.1.31

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `aiden-agent setup`, `login`, `daemon`, or the Aiden-launched `run-session` command.
Impact
A configured Aiden runtime can execute agent workflows and create managed git worktrees in the supplied project path.
Mechanism
Explicit Aiden agent runtime setup and remote task execution.
Rationale
Source inspection contradicts the claimed remote-asset decode-and-execute chain and finds no install hook. The package still provides explicit remote AI-agent task execution and package-owned configuration persistence, which warrants a warning rather than a block.
Evidence
package.jsondist/index.cjs~/.aiden/agent
Network endpoints4
api.aiden-platform.comapi.staging.aiden-platform.comlocalhost:8400127.0.0.1:${localApiPort}/shutdown

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/index.cjs` exposes an explicit `run-session` command that accepts task/prompt/session credentials from `AIDEN_*` environment variables.
  • `dist/index.cjs` connects an agent Socket.IO/WebSocket client using a session token and executes received Aiden session tasks.
  • Explicit `setup`/`login` write runtime and local-daemon tokens to the package-owned `~/.aiden/agent` configuration directory.
  • `dist/index.cjs` invokes `git` for agent worktree operations, constrained by path/ref validation.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall` lifecycle hook.
  • No source match found for `eval`, `new Function`, `vm`, or decoding fetched content into executable code.
  • Network behavior is Aiden runtime registration, device authorization, local daemon control, and session connectivity rather than covert exfiltration.
  • The scanner's child-process/decode finding includes bundled `xmlhttprequest-ssl` support code; package-owned calls are explicit CLI runtime operations.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 1 file(s), 968 KB of source, external domains: 127.0.0.1, api.aiden-platform.com, api.staging.aiden-platform.com, developer.mozilla.org, opencode.ai, socket.io, stackoverflow.com

Source & flagged code

4 flagged · loading source
dist/index.cjsView file
32L33: // ../../node_modules/xmlhttprequest-ssl/lib/XMLHttpRequest.js L34: var require_XMLHttpRequest = __commonJS({ ... L38: var Url = require("url"); L39: var spawn4 = require("child_process").spawn; L40: module2.exports = XMLHttpRequest3; ... L199: self.status = 200; L200: self.responseText = data2.toString("utf8"); L201: self.response = data2; ... L288: request = doRequest(newOptions, responseHandler).on("error", errorHandler); L289: request.end(); L290: return;
Critical
Remote Asset Decode Execute

Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.

dist/index.cjsView on unpkg · L32
Trigger-reachable chain: manifest.bin -> dist/index.cjs Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.cjsView on unpkg
38var Url = require("url"); L39: var spawn4 = require("child_process").spawn; L40: module2.exports = XMLHttpRequest3;
High
Child Process

Package source references child process execution.

dist/index.cjsView on unpkg · L38
32L33: // ../../node_modules/xmlhttprequest-ssl/lib/XMLHttpRequest.js L34: var require_XMLHttpRequest = __commonJS({ ... L38: var Url = require("url"); L39: var spawn4 = require("child_process").spawn; L40: module2.exports = XMLHttpRequest3; ... L199: self.status = 200; L200: self.responseText = data2.toString("utf8"); L201: self.response = data2; ... L288: request = doRequest(newOptions, responseHandler).on("error", errorHandler); L289: request.end(); L290: return;
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/index.cjsView on unpkg · L32

Findings

2 Critical1 High3 Medium6 Low
CriticalRemote Asset Decode Executedist/index.cjs
CriticalTrigger Reachable Dangerous Capabilitydist/index.cjs
HighChild Processdist/index.cjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/index.cjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License