registry  /  @askexenow/exe-os  /  0.9.319

@askexenow/exe-os@0.9.319

AI employee operating system — persistent memory, task management, and multi-agent coordination for Claude Code.

AI Security Review

scanned 3d ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. The package mutates Claude agent skill files during npm postinstall. This is an AI-agent control-surface write before the user explicitly runs setup.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install / package postinstall
Impact
Can alter future Claude behavior by installing package-authored skills automatically.
Mechanism
postinstall copies package-supplied SKILL.md files into ~/.claude/skills
Policy narrative
On install, npm runs dist/bin/install.js --commands-only. That path does not only install package binaries: it calls copySlashCommands, which creates ~/.claude/skills directories and writes package-provided SKILL.md files. Those files are consumed by an AI agent environment, so the package changes an agent control surface as an install-time side effect.
Rationale
Static inspection confirms automatic postinstall writes into Claude skill directories, which is unconsented lifecycle AI-agent control-surface mutation. Scanner exfiltration hints appear to be package-aligned setup/notification flows, but the install-time agent mutation is sufficient to block. Product guard normalized a non-low false-positive publish_block request to warn-only suspicious.
Evidence
package.jsondist/bin/install.jsdist/chunk-K6GZMAIA.jsdist/chunk-BVV6NHKQ.jsdist/chunk-6DTSAEDS.js~/.claude/skills/exe-*/SKILL.md~/.claude/skills/exe/SKILL.md~/Library/LaunchAgents/com.askexe.exed.plist~/.config/systemd/user/exe-os.service

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for policy block
  • package.json runs postinstall: node dist/bin/install.js --commands-only
  • dist/bin/install.js --commands-only calls copySlashCommands(packageRoot) during npm install
  • dist/chunk-K6GZMAIA.js copySlashCommands writes package markdown into ~/.claude/skills/*/SKILL.md
  • dist/bin/install.js can refresh LaunchAgent/systemd daemon files after setup exists
Evidence against
  • dist/chunk-BVV6NHKQ.js notification network sends only to user-configured Telegram/email endpoints
  • dist/chunk-6DTSAEDS.js api.askexe.com calls are setup/license/cloud flows, not automatic credential exfiltration
  • Global Claude/Codex hook installation is mostly behind explicit --global/user commands
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 511 file(s), 4.94 MB of source, external domains: 127.0.0.1, api.anthropic.com, api.askexe.com, api.cloudflare.com, api.github.com, api.openai.com, api.telegram.org, app.asana.com, askexe.com, auth.changeme, claude.com, cloud.askexe.com, crm.changeme, developers.hostinger.com, download.docker.com, erp.changeme, gateway.askexe.com, ghcr.io, github.com, graph.facebook.com, monitor.askexe.com, nodejs.org, opencode.ai, openrouter.ai, unpkg.com, update.askexe.com, wiki.changeme, www.apple.com

Source & flagged code

15 flagged · loading source
package.jsonView file
scripts.postinstall = node dist/bin/install.js --commands-only || true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node dist/bin/install.js --commands-only || true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/chunk-75H4R62K.jsView file
1// src/lib/cc-binary-detect.ts L2: import { execSync } from "child_process"; L3: import { existsSync, readFileSync, readdirSync } from "fs";
High
Child Process

Package source references child process execution.

dist/chunk-75H4R62K.jsView on unpkg · L1
dist/bin/install.jsView file
89Install-time AI-agent control hijack evidence: L155: // src/bin/install.ts L156: import { existsSync, openSync, closeSync, writeFileSync, readFileSync, unlinkSync, statSync, mkdirSync, chmodSync, renameSync, readdirSync } from "fs"; L157: import { spawn, execSync } from "child_process"; ... L358: if (!existsSync(plistDir)) { L359: mkdirSync(plistDir, { recursive: true }); L360: } ... L377: } L378: writeFileSync(newPlistPath, finalPlistContent); L379: if (!reload) { ... L397: const binDir = path.join(home, ".exe-os", "bin"); L398: mkdirSync(binDir, { recursive: true }); L399: const shimPath = path.join(binDir, "exe-os-node"); Payload evidence from dist/bin/exe-launch-agent.js: L89: import { existsSync, readFileSync, mkdirSync, readdirSync } from "fs"; L90: import { spawn as spawnAsync } from "child_process"; L91: import { execSync } from "child_process"; ... L95: } catch (err) { L96: process.stderr.write(`[exe-launch-agent] roster load failed: ${err instanceof Error ? err.message : String(err)} L97: `); ... L139: function identityPathFor(agent) { L140: const dir = path.join(os.homedir(), ".exe-os", "identity"); L141: const exactPath = path.join(dir, `${agent}.md`); ... L162: functi…
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

dist/bin/install.jsView on unpkg · L89
814process.stderr.write( L815: "\nexe-os does not support native Windows. Use WSL2 instead:\n 1. Run `wsl --install` in PowerShell\n 2. Open Ubuntu/WSL2\n 3. Install and run exe-os inside WSL2\n\n" L816: );
High
Shell

Package source references shell execution.

dist/bin/install.jsView on unpkg · L814
dist/chunk-36SS3TE7.jsView file
419try { L420: const { loadAgentConfig, saveAgentConfig } = await import("./lib/agent-config.js"); L421: const config = loadAgentConfig();
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/chunk-36SS3TE7.jsView on unpkg · L419
59const jitter = Math.floor(Math.random() * MAX_JITTER_MS); L60: process.stderr.write( L61: `[exe-os] SQLITE_BUSY ${label} retry ${attempt + 1}/${MAX_RETRIES} \u2014 waiting ${backoff + jitter}ms ... L85: import { existsSync as existsSync2, symlinkSync, readlinkSync, readFileSync as readFileSync2, renameSync, unlinkSync, writeFileSync as writeFileSync2 } from "fs"; L86: import { execSync } from "child_process"; L87: import path2 from "path"; ... L306: try { L307: return JSON.parse(raw); L308: } catch { ... L439: try { L440: const identityDir = path2.join(os.homedir(), ".exe-os", "identity"); L441: const oldPath = path2.join(identityDir, `${oldName}.md`);
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/chunk-36SS3TE7.jsView on unpkg · L59
dist/project-boot-3UP6ETJY.jsView file
8import path from "path"; L9: import { execSync } from "child_process"; L10: import { existsSync, readFileSync } from "fs"; L11: import net from "net"; L12: var DAEMON_URL = "http://127.0.0.1:48739"; L13: var EXE_DIR = process.env.EXE_OS_DIR ?? process.env.EXE_MEM_DIR ?? path.join(process.env.HOME ?? "/tmp", ".exe-os"); L14: var SOCK_PATH = path.join(EXE_DIR, "exed.sock");
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/project-boot-3UP6ETJY.jsView on unpkg · L8
dist/chunk-6DTSAEDS.jsView file
21import crypto from "crypto"; L22: import { execSync } from "child_process"; L23: import { existsSync as existsSync2, mkdirSync, readFileSync, unlinkSync as unlinkSync2, writeFileSync, chmodSync } from "fs"; ... L32: import path from "path"; L33: var GGUF_URL = process.env.EXE_EMBED_MODEL_URL ?? ""; L34: var EXPECTED_SHA256 = process.env.EXE_EMBED_MODEL_SHA256 ?? ""; ... L103: resetInactivityTimer(); L104: if (!fileStream.write(value)) { L105: await new Promise((resolve) => fileStream.once("drain", resolve)); ... L134: if (attempt < MAX_RETRIES) { L135: process.stderr.write(` L136: Download attempt ${attempt} failed, retrying...
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/chunk-6DTSAEDS.jsView on unpkg · L21
dist/chunk-BVV6NHKQ.jsView file
49if (process.platform === "linux") { L50: execSync(`notify-send "${safeTitle}" "${safeBody}"`, { L51: timeout: DESKTOP_TIMEOUT_MS, ... L57: } catch (err) { L58: process.stderr.write(`[push-notify] Desktop notification failed: ${err instanceof Error ? err.message : String(err)} L59: `); ... L64: try { L65: const url = `https://api.telegram.org/bot${botToken}/sendMessage`; L66: const res = await fetch(url, {
Critical
Command Output Exfiltration

Source executes local commands and sends command output to an external endpoint.

dist/chunk-BVV6NHKQ.jsView on unpkg · L49
49Trigger-reachable chain: scripts.postinstall -> dist/bin/install.js -> dist/chunk-OXGNFT3L.js -> dist/push-notifications-W5JRXLKJ.js -> dist/chunk-BVV6NHKQ.js L49: if (process.platform === "linux") { L50: execSync(`notify-send "${safeTitle}" "${safeBody}"`, { L51: timeout: DESKTOP_TIMEOUT_MS, ... L57: } catch (err) { L58: process.stderr.write(`[push-notify] Desktop notification failed: ${err instanceof Error ? err.message : String(err)} L59: `); ... L64: try { L65: const url = `https://api.telegram.org/bot${botToken}/sendMessage`; L66: const res = await fetch(url, {
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/chunk-BVV6NHKQ.jsView on unpkg · L49
dist/bin/cli.jsView file
7async function configureProxyFromEnv() { L8: if (!process.env.HTTP_PROXY && !process.env.HTTPS_PROXY && !process.env.NO_PROXY) return; L9: try { L10: const { setGlobalDispatcher, EnvHttpProxyAgent } = await import("undici"); L11: setGlobalDispatcher(new EnvHttpProxyAgent()); L12: } catch { L13: process.stderr.write("exe-os: HTTP(S)_PROXY is set, but undici proxy support is unavailable; continuing without global proxy.\n"); L14: } ... L26: var args = process.argv.slice(2); L27: if (process.platform === "win32") { L28: process.stderr.write( L29: "\nexe-os does not support native Windows. Use WSL2 instead:\n 1. Run `wsl --install` in PowerShell\n 2. Open Ubuntu/WSL2\n 3. Install and run exe-os inside WSL2\n\n"
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/bin/cli.jsView on unpkg · L7
dist/bin/deferred-daemon-restart.jsView file
132Cross-file remote execution chain: dist/bin/deferred-daemon-restart.js spawns dist/chunk-3OEVDGIY.js; helper contains network access plus dynamic code execution. L132: import { existsSync, openSync, closeSync, writeFileSync, unlinkSync, readFileSync } from "fs"; L133: import { spawn, execSync } from "child_process"; L134: import path from "path"; L135: import os from "os"; L136: var EXE_DIR = path.join(os.homedir(), ".exe-os"); L137: var DAEMON_PORT = 48739; ... L141: try { L142: const pkg = JSON.parse(readFileSync(path.join(pkgRoot, "package.json"), "utf8")); L143: return pkg.version; ... L162: versionMismatchWarned = true; L163: process.stderr.write( L164: `[deferred-restart] daemon/client version mismatch (daemon ${daemonVersion}, client ${clientVersion}). Run: exe-os-install --global
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/bin/deferred-daemon-restart.jsView on unpkg · L132
dist/bin/update.jsView file
149try { L150: execSync(`npm install -g @askexenow/exe-os@${manifest.version}`, { L151: stdio: ["pipe", "pipe", "inherit"],
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/bin/update.jsView on unpkg · L149
dist/bin/exe-start.shView file
path = dist/bin/exe-start.sh kind = build_helper sizeBytes = 9273 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

dist/bin/exe-start.shView on unpkg

Findings

4 Critical7 High7 Medium6 Low
CriticalCredential Exfiltrationdist/chunk-6DTSAEDS.js
CriticalCommand Output Exfiltrationdist/chunk-BVV6NHKQ.js
CriticalAi Agent Control Hijackdist/bin/install.js
CriticalTrigger Reachable Dangerous Capabilitydist/chunk-BVV6NHKQ.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/chunk-75H4R62K.js
HighShelldist/bin/install.js
HighSame File Env Network Executiondist/project-boot-3UP6ETJY.js
HighSandbox Evasion Gated Capabilitydist/bin/cli.js
HighCross File Remote Execution Contextdist/bin/deferred-daemon-restart.js
HighRuntime Package Installdist/bin/update.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/chunk-36SS3TE7.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/chunk-36SS3TE7.js
MediumShips Build Helperdist/bin/exe-start.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License