registry  /  @arbidocs/cli  /  0.3.110

@arbidocs/cli@0.3.110

CLI tool for interacting with ARBI — login, manage workspaces, upload documents, query the RAG assistant

AI Security Review

scanned 2h ago · by lpm-firewall-ai

The confirmed issue is lifecycle-time shell startup file mutation for tab completion. This is persistent shell rc modification, but the installed snippet is package-aligned completion code and no install-time exfiltration or foreign AI-agent hijack was found.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
npm install runs postinstall; explicit CLI commands can later install agent skills or update the package.
Impact
Adds shell startup content that calls arbi for completions; explicit runtime commands may write package-owned config/skills or run npm update.
Mechanism
unconsented shell rc completion block plus user-invoked agent/update helpers
Attack narrative
On install, the package silently appends an idempotent completion block to the user's shell rc file. That creates persistent startup configuration, but the block only registers arbi tab completion and calls arbi --get-completions. Broader agent integrations and npm self-update behavior are present in the CLI, yet they are explicit runtime commands rather than lifecycle-triggered foreign control-surface mutation.
Rationale
Source inspection supports a warning for unconsented lifecycle shell rc persistence, not a publish block: the lifecycle script does not harvest credentials, call network endpoints, fetch code, or plant AI-agent instructions. Runtime child_process, network, and agent-skill writes are aligned with documented CLI functionality and require user invocation.
Evidence
package.jsonscripts/postinstall.jsscripts/preuninstall.jsdist/index.jsSKILL.md~/.zshrc~/.bashrc~/.arbi/completions.json~/.arbi/version-cache.json~/.claude/commands/arbi/SKILL.md~/.arbi/openclaw-workspace/BOOTSTRAP.md
Network endpoints2
central.arbi.workconfigured config.baseUrl

Decision evidence

public snapshot
AI called this Suspicious at 84.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json runs scripts/postinstall.js and scripts/preuninstall.js as npm lifecycle hooks.
  • scripts/postinstall.js silently appends an arbi completion function to ~/.zshrc or ~/.bashrc at install time.
  • dist/index.js has user-invoked update paths that run npm view/npm install -g @arbidocs/cli@latest.
  • dist/index.js can write ARBI skill content to ~/.claude/commands/arbi/SKILL.md, but only through agent setup/listen commands.
Evidence against
  • No install-time credential harvesting, network call, remote code fetch, or AI-agent control-surface write found in lifecycle scripts.
  • Shell completion invokes arbi --get-completions, which reads local completion cache rather than exfiltrating data.
  • Agent/Claude skill installation is runtime user-invoked, documented in SKILL.md, and package-aligned.
  • Network behavior is CLI-aligned: configured ARBI baseUrl plus https://central.arbi.work for deployment lookup.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 5 file(s), 410 KB of source, external domains: central.arbi.work, docs.anthropic.com, docs.openclaw.ai

Source & flagged code

7 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @arbidocs/cli@0.3.108 matchedIdentity = npm:QGFyYmlkb2NzL2NsaQ:0.3.108 similarity = 0.800 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/index.jsView on unpkg
10var sdk = require('@arbidocs/sdk'); L11: var child_process = require('child_process'); L12: var client = require('@arbidocs/client');
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L10
3753Your arbi version is out of date (${"0.3.110"} \u2192 ${latest}). Updating...`); L3754: child_process.execSync("npm install -g @arbidocs/cli@latest", { stdio: "inherit" }); L3755: showChangelog("0.3.110", latest);
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/index.jsView on unpkg · L3753
10var sdk = require('@arbidocs/sdk'); L11: var child_process = require('child_process'); L12: var client = require('@arbidocs/client'); ... L87: function getCacheFile() { L88: const configDir = process.env.ARBI_CONFIG_DIR ?? path5__default.default.join(os2__default.default.homedir(), ".arbi"); L89: return path5__default.default.join(configDir, "completions.json"); ... L99: const content = fs5__default.default.readFileSync(getCacheFile(), "utf-8"); L100: const cache = JSON.parse(content); L101: return cache.workspaces.map((w) => w.id); ... L269: const shell = process.env.SHELL || ""; L270: if (shell.includes("zsh")) return path5.join(os2.homedir(), ".zshrc"); L271: return path5.join(os2.homedir(), ".bashrc");
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/index.jsView on unpkg · L10
scripts/bench-upload.mjsView file
23Cross-file remote execution chain: scripts/bench-upload.mjs spawns dist/index.js; helper contains network access plus dynamic code execution. L23: L24: import { spawn } from 'node:child_process' L25: import { writeFileSync, mkdtempSync, rmSync } from 'node:fs' ... L134: L135: return Buffer.from(header + body + xref, 'utf8') L136: } ... L144: }) L145: let stdout = '' L146: let stderr = '' ... L211: if (r.code !== 0) { L212: process.stderr.write(stripAnsi(r.stdout)) L213: process.stderr.write(stripAnsi(r.stderr))
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

scripts/bench-upload.mjsView on unpkg · L23

Findings

1 Critical5 High5 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/index.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/index.js
HighShell
HighCross File Remote Execution Contextscripts/bench-upload.mjs
HighRuntime Package Installdist/index.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/index.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings