registry  /  @aishelf/service  /  1.0.5

@aishelf/service@1.0.5

AIShelf local service for cross-platform file access

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious install-time behavior was found, but the local service exposes an unauthenticated raw file endpoint for its own ~/.aishelf data with wildcard CORS. If the service is running and authenticated, a web page could read the stored AIShelf/GitHub token from the local service.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs aishelf service start or installs/starts the native service, then visits attacker-controlled web content.
Impact
possible local AIShelf config and stored token disclosure from ~/.aishelf
Mechanism
unauthenticated local HTTP file read with wildcard CORS
Rationale
Static inspection shows a serious local-service exposure, but no unconsented lifecycle execution, stealth persistence, foreign AI-agent control mutation, obfuscation, or direct attacker exfiltration. Treat as a warning-worthy critical vulnerability rather than malicious package behavior.
Evidence
package.jsonREADME.mddist/server.jsdist/cli.js~/.aishelf/storage/config.json~/.aishelf/service.pid~/.aishelf/storage/registries~/.aishelf/storage/drafts~/.aishelf/storage/logs
Network endpoints4
kml6nyj2ad.execute-api.us-east-1.amazonaws.comgithub.comaishelf.devlocalhost:5314

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Critical Vulnerability with medium false-positive risk.
Evidence for warning
  • dist/server.js starts local Express service on port 5314 with CORS Access-Control-Allow-Origin '*'.
  • dist/server.js exposes unauthenticated GET /raw/* mapped to AISHELF_ROOT via filesystemService.read.
  • dist/server.js stores auth token in ~/.aishelf/storage/config.json and /raw/storage/config.json would be readable while service runs.
  • dist/server.js sends bearer token to package backend and GitHub APIs; token is package-aligned but sensitive.
  • dist/cli.js can install a native OS service, but only via explicit aishelf service install with confirmation.
Evidence against
  • package.json has no preinstall/install/postinstall hook; only prepublishOnly build hook.
  • CLI service start/install is user-invoked, not automatic at npm install or import time.
  • No obfuscated payloads or prompt/reviewer manipulation found in package files.
  • child_process use is limited to starting server/docker checks and git diff in local draft comparison.
  • Filesystem writes are under ~/.aishelf storage/registries/drafts or user-selected registry resources.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 252 KB of source, external domains: aishelf.dev, github.com, kml6nyj2ad.execute-api.us-east-1.amazonaws.com, support.claude.com

Source & flagged code

3 flagged · loading source
dist/server.jsView file
2120var import_promises4 = __toESM(require("fs/promises")); L2121: var import_child_process = require("child_process"); L2122: var import_util = require("util");
High
Child Process

Package source references child process execution.

dist/server.jsView on unpkg · L2120
dist/cli.jsView file
3729if (await isDockerManaged()) { L3730: console.log("Service is already running via Docker on http://localhost:5314"); L3731: console.log("To stop it: docker stop aishelf-service"); ... L3737: console.log("Starting AIShelf service..."); L3738: const child = (0, import_child_process2.spawn)(process.execPath, [__filename.replace("cli.js", "server.js")], { L3739: detached: true, L3740: stdio: "ignore", L3741: env: { ...process.env } L3742: });
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli.jsView on unpkg · L3729
146Cross-file remote execution chain: dist/cli.js spawns dist/server.js; helper contains network access plus dynamic code execution. L146: **Option 1: Use AI to help you** L147: - Add this skill to your AI model: https://github.[redacted]-creator/SKILL.md L148: - Ask your AI to help create the skill based on your requirements ... L426: var import_commander = require("commander"); L427: var import_child_process2 = require("child_process"); L428: var import_promises8 = __toESM(require("fs/promises")); ... L450: var PORT = 5314; L451: var AISHELF_ROOT = import_path.default.join(import_os.default.homedir(), ".aishelf"); L452: var PID_FILE = import_path.default.join(AISHELF_ROOT, "service.pid"); ... L484: headers: requestHeaders, L485: body: body ? JSON.stringify(body) : void 0 L486: });
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/cli.jsView on unpkg · L146

Findings

3 High2 Medium5 Low
HighChild Processdist/server.js
HighSame File Env Network Executiondist/cli.js
HighCross File Remote Execution Contextdist/cli.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings