registry  /  @aishelf/service  /  1.0.3

@aishelf/service@1.0.3

AIShelf local service for cross-platform file access

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious install-time behavior was found, but the runtime service exposes sensitive ~/.aishelf files through unauthenticated /raw/* while binding broadly with permissive CORS. This can expose stored AIShelf/GitHub auth material if the service is reachable.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs aishelf service start, dist/server.js, or installs/starts the native service via aishelf service install
Impact
Potential disclosure of ~/.aishelf/storage/config.json token and local AIShelf data; API actions may be reachable with arbitrary decoded X-Client-Token plus stored GitHub auth
Mechanism
unauthenticated local file read endpoint and weak API client token verification
Rationale
Static inspection supports a warn-level critical runtime vulnerability rather than malicious package intent: dangerous unauthenticated file exposure exists, but activation is user-invoked and functionality aligns with the AIShelf local service. There is no lifecycle-based persistence, hidden remote code execution, or unconsented AI-agent control-surface mutation.
Evidence
package.jsonREADME.mddist/server.jsdist/cli.js~/.aishelf/service.pid~/.aishelf/storage/config.json~/.aishelf/storage/registries~/.aishelf/storage/drafts~/.aishelf/storage/logs
Network endpoints5
kml6nyj2ad.execute-api.us-east-1.amazonaws.comkml6nyj2ad.execute-api.us-east-1.amazonaws.com/audit-logs/uploadgithub.comaishelf.devlocalhost:5314

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Critical Vulnerability with medium false-positive risk.
Evidence for warning
  • dist/server.js exposes /raw/* outside /api auth and reads under ~/.aishelf
  • dist/server.js listens on port 5314 without host restriction and sets CORS Access-Control-Allow-Origin: *
  • dist/server.js stores auth token in ~/.aishelf/storage/config.json, which is reachable by /raw/storage/config.json
  • dist/server.js authenticateAishelfClient only decodes X-Client-Token without signature verification
  • dist/server.js can upload local audit logs to https://kml6nyj2ad.execute-api.us-east-1.amazonaws.com/audit-logs/upload when API is invoked
  • dist/server.js uses execAsync for git diff with quoted paths derived from local resource paths
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks; only prepublishOnly build
  • CLI service install is explicit and prompts before native service registration
  • Network use is package-aligned: AIShelf backend, GitHub via Octokit/simple-git, localhost health checks
  • File writes are mainly under ~/.aishelf storage/drafts/registries/logs and user-invoked service state
  • No obfuscation, remote payload loading, credential harvesting loop, or install-time AI-agent control mutation found
  • README describes a local AIShelf service exposing localhost:5314 for clients
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 252 KB of source, external domains: aishelf.dev, github.com, kml6nyj2ad.execute-api.us-east-1.amazonaws.com, support.claude.com

Source & flagged code

3 flagged · loading source
dist/server.jsView file
2115var import_promises4 = __toESM(require("fs/promises")); L2116: var import_child_process = require("child_process"); L2117: var import_util = require("util");
High
Child Process

Package source references child process execution.

dist/server.jsView on unpkg · L2115
dist/cli.jsView file
3724if (await isDockerManaged()) { L3725: console.log("Service is already running via Docker on http://localhost:5314"); L3726: console.log("To stop it: docker stop aishelf-service"); ... L3732: console.log("Starting AIShelf service..."); L3733: const child = (0, import_child_process2.spawn)(process.execPath, [__filename.replace("cli.js", "server.js")], { L3734: detached: true, L3735: stdio: "ignore", L3736: env: { ...process.env } L3737: });
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli.jsView on unpkg · L3724
146Cross-file remote execution chain: dist/cli.js spawns dist/server.js; helper contains network access plus dynamic code execution. L146: **Option 1: Use AI to help you** L147: - Add this skill to your AI model: https://github.[redacted]-creator/SKILL.md L148: - Ask your AI to help create the skill based on your requirements ... L426: var import_commander = require("commander"); L427: var import_child_process2 = require("child_process"); L428: var import_promises8 = __toESM(require("fs/promises")); ... L450: var PORT = 5314; L451: var AISHELF_ROOT = import_path.default.join(import_os.default.homedir(), ".aishelf"); L452: var PID_FILE = import_path.default.join(AISHELF_ROOT, "service.pid"); ... L484: headers: requestHeaders, L485: body: body ? JSON.stringify(body) : void 0 L486: });
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/cli.jsView on unpkg · L146

Findings

3 High2 Medium5 Low
HighChild Processdist/server.js
HighSame File Env Network Executiondist/cli.js
HighCross File Remote Execution Contextdist/cli.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings