registry  /  @askexenow/exe-os  /  0.9.330

@askexenow/exe-os@0.9.330

⚠ Under review

AI employee operating system — persistent memory, task management, and multi-agent coordination for Claude Code.

Static Scan Results

scanned 8m ago · by rust-scanner

Static analysis flagged 24 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 516 file(s), 5.12 MB of source, external domains: 127.0.0.1, api.anthropic.com, api.askexe.com, api.cloudflare.com, api.github.com, api.openai.com, api.telegram.org, app.asana.com, askexe.com, auth.changeme, claude.com, cloud.askexe.com, crm.changeme, developers.hostinger.com, download.docker.com, erp.changeme, gateway.askexe.com, ghcr.io, github.com, graph.facebook.com, monitor.askexe.com, nodejs.org, opencode.ai, openrouter.ai, unpkg.com, update.askexe.com, wiki.changeme, www.apple.com

Source & flagged code

15 flagged · loading source
package.jsonView file
scripts.postinstall = node dist/bin/install.js --commands-only || true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node dist/bin/install.js --commands-only || true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/chunk-75H4R62K.jsView file
1// src/lib/cc-binary-detect.ts L2: import { execSync } from "child_process"; L3: import { existsSync, readFileSync, readdirSync } from "fs";
High
Child Process

Package source references child process execution.

dist/chunk-75H4R62K.jsView on unpkg · L1
dist/bin/install.jsView file
92Install-time AI-agent control hijack evidence: L160: // src/bin/install.ts L161: import { existsSync, openSync, closeSync, writeFileSync, readFileSync, unlinkSync, statSync, mkdirSync, chmodSync, renameSync, readdirSync } from "fs"; L162: import { spawn, execSync } from "child_process"; ... L381: if (!existsSync(plistDir)) { L382: mkdirSync(plistDir, { recursive: true }); L383: } ... L400: } L401: writeFileSync(newPlistPath, finalPlistContent); L402: if (!reload) { ... L420: const binDir = path.join(home, ".exe-os", "bin"); L421: mkdirSync(binDir, { recursive: true }); L422: const shimPath = path.join(binDir, "exe-os-node"); Payload evidence from dist/bin/exe-launch-agent.js: L92: import { existsSync, readFileSync, mkdirSync, readdirSync } from "fs"; L93: import { spawn as spawnAsync } from "child_process"; L94: import { execSync } from "child_process"; ... L98: } catch (err) { L99: process.stderr.write(`[exe-launch-agent] roster load failed: ${err instanceof Error ? err.message : String(err)} L100: `); ... L142: function identityPathFor(agent) { L143: const dir = path.join(os.homedir(), ".exe-os", "identity"); L144: const exactPath = path.join(dir, `${agent}.md`); ... L165: funct…
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

dist/bin/install.jsView on unpkg · L92
867process.stderr.write( L868: "\nexe-os does not support native Windows. Use WSL2 instead:\n 1. Run `wsl --install` in PowerShell\n 2. Open Ubuntu/WSL2\n 3. Install and run exe-os inside WSL2\n\n" L869: );
High
Shell

Package source references shell execution.

dist/bin/install.jsView on unpkg · L867
dist/chunk-LKB2VIIV.jsView file
167if (!process.env.DATABASE_URL) process.env.DATABASE_URL = url; L168: const { createRequire } = await import("module"); L169: const { pathToFileURL } = await import("url");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/chunk-LKB2VIIV.jsView on unpkg · L167
dist/chunk-KADUJ7PE.jsView file
12import { readFileSync, writeFileSync, mkdirSync, existsSync, readdirSync } from "fs"; L13: import { execSync } from "child_process"; L14: import path from "path"; ... L121: try { L122: cfg = JSON.parse(readFileSync(configPath, "utf8")); L123: } catch { ... L126: const sentinelPath = path.join(exeDir, "embeddings-enabled"); L127: if (process.env.EXE_EMBEDDINGS !== void 0 || existsSync(sentinelPath) || cfg) { L128: return resolveEmbeddingsEnabled(process.env.EXE_EMBEDDINGS, cfg, sentinelPath); ... L137: function main() { L138: const HOME = os.homedir(); L139: const PLIST_NAME = "com.askexe.exed.plist";
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/chunk-KADUJ7PE.jsView on unpkg · L12
dist/bin/exe-watchdog.jsView file
12import { randomUUID } from "crypto"; L13: import { spawn } from "child_process"; L14: import { get } from "http"; L15: import { join } from "path"; ... L17: import { homedir, userInfo, loadavg, cpus, platform } from "os"; L18: var EXE_DIR = process.env.EXE_OS_DIR ?? process.env.EXE_MEM_DIR ?? join(homedir(), ".exe-os"); L19: var PID_PATH = join(EXE_DIR, "exed.pid");
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/bin/exe-watchdog.jsView on unpkg · L12
dist/chunk-BVV6NHKQ.jsView file
49if (process.platform === "linux") { L50: execSync(`notify-send "${safeTitle}" "${safeBody}"`, { L51: timeout: DESKTOP_TIMEOUT_MS, ... L57: } catch (err) { L58: process.stderr.write(`[push-notify] Desktop notification failed: ${err instanceof Error ? err.message : String(err)} L59: `); ... L64: try { L65: const url = `https://api.telegram.org/bot${botToken}/sendMessage`; L66: const res = await fetch(url, {
Critical
Command Output Exfiltration

Source executes local commands and sends command output to an external endpoint.

dist/chunk-BVV6NHKQ.jsView on unpkg · L49
49Trigger-reachable chain: scripts.postinstall -> dist/bin/install.js -> dist/chunk-5JILQMRS.js -> dist/push-notifications-W5JRXLKJ.js -> dist/chunk-BVV6NHKQ.js L49: if (process.platform === "linux") { L50: execSync(`notify-send "${safeTitle}" "${safeBody}"`, { L51: timeout: DESKTOP_TIMEOUT_MS, ... L57: } catch (err) { L58: process.stderr.write(`[push-notify] Desktop notification failed: ${err instanceof Error ? err.message : String(err)} L59: `); ... L64: try { L65: const url = `https://api.telegram.org/bot${botToken}/sendMessage`; L66: const res = await fetch(url, {
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/chunk-BVV6NHKQ.jsView on unpkg · L49
dist/bin/cli.jsView file
7async function configureProxyFromEnv() { L8: if (!process.env.HTTP_PROXY && !process.env.HTTPS_PROXY && !process.env.NO_PROXY) return; L9: try { L10: const { setGlobalDispatcher, EnvHttpProxyAgent } = await import("undici"); L11: setGlobalDispatcher(new EnvHttpProxyAgent()); L12: } catch { L13: process.stderr.write("exe-os: HTTP(S)_PROXY is set, but undici proxy support is unavailable; continuing without global proxy.\n"); L14: } ... L26: var args = process.argv.slice(2); L27: if (process.platform === "win32") { L28: process.stderr.write( L29: "\nexe-os does not support native Windows. Use WSL2 instead:\n 1. Run `wsl --install` in PowerShell\n 2. Open Ubuntu/WSL2\n 3. Install and run exe-os inside WSL2\n\n"
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/bin/cli.jsView on unpkg · L7
dist/chunk-U7ORCOJH.jsView file
852Cross-file remote execution chain: dist/chunk-U7ORCOJH.js spawns dist/chunk-3OEVDGIY.js; helper contains network access plus dynamic code execution. L852: agent_role: agentRole, L853: session_id: process.env.SESSION_ID ?? "manual", L854: timestamp: (/* @__PURE__ */ new Date()).toISOString(), ... L962: } catch (err) { L963: process.stderr.write( L964: `[commit-memory] Failed to archive superseded memory ${supersedes_id}: ${err instanceof Error ? err.message : String(err)} ... L2329: try { L2330: const cp = JSON.parse(String(row.checkpoint)); L2331: lines.push( ... L2435: const preflightWarnings = []; L2436: const baseDir = process.cwd(); L2437: if (assignee) {
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/chunk-U7ORCOJH.jsView on unpkg · L852
dist/bin/update.jsView file
149try { L150: execSync(`npm install -g @askexenow/exe-os@${manifest.version}`, { L151: stdio: ["pipe", "pipe", "inherit"],
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/bin/update.jsView on unpkg · L149
dist/bin/exe-start.shView file
path = dist/bin/exe-start.sh kind = build_helper sizeBytes = 10038 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

dist/bin/exe-start.shView on unpkg
dist/bin/deferred-daemon-restart.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @askexenow/exe-os@0.9.319 matchedIdentity = npm:QGFza2V4ZW5vdy9leGUtb3M:0.9.319 similarity = 0.508 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/bin/deferred-daemon-restart.jsView on unpkg

Findings

4 Critical7 High7 Medium6 Low
CriticalCommand Output Exfiltrationdist/chunk-BVV6NHKQ.js
CriticalAi Agent Control Hijackdist/bin/install.js
CriticalTrigger Reachable Dangerous Capabilitydist/chunk-BVV6NHKQ.js
CriticalPrevious Version Dangerous Deltadist/bin/deferred-daemon-restart.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/chunk-75H4R62K.js
HighShelldist/bin/install.js
HighSame File Env Network Executiondist/bin/exe-watchdog.js
HighSandbox Evasion Gated Capabilitydist/bin/cli.js
HighCross File Remote Execution Contextdist/chunk-U7ORCOJH.js
HighRuntime Package Installdist/bin/update.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/chunk-LKB2VIIV.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/chunk-KADUJ7PE.js
MediumShips Build Helperdist/bin/exe-start.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License