registry  /  @askexenow/exe-os  /  0.9.325

@askexenow/exe-os@0.9.325

⚠ Under review

AI employee operating system — persistent memory, task management, and multi-agent coordination for Claude Code.

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 20 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 516 file(s), 5.10 MB of source, external domains: 127.0.0.1, api.anthropic.com, api.askexe.com, api.cloudflare.com, api.github.com, api.openai.com, api.telegram.org, app.asana.com, askexe.com, auth.changeme, claude.com, cloud.askexe.com, crm.changeme, developers.hostinger.com, download.docker.com, erp.changeme, gateway.askexe.com, ghcr.io, github.com, graph.facebook.com, monitor.askexe.com, nodejs.org, opencode.ai, openrouter.ai, unpkg.com, update.askexe.com, wiki.changeme, www.apple.com

Source & flagged code

10 flagged · loading source
package.jsonView file
scripts.postinstall = node dist/bin/install.js --commands-only || true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node dist/bin/install.js --commands-only || true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/chunk-75H4R62K.jsView file
1// src/lib/cc-binary-detect.ts L2: import { execSync } from "child_process"; L3: import { existsSync, readFileSync, readdirSync } from "fs";
High
Child Process

Package source references child process execution.

dist/chunk-75H4R62K.jsView on unpkg · L1
dist/chunk-CR26FCFF.jsView file
21import crypto from "crypto"; L22: import { execSync } from "child_process"; L23: import { existsSync as existsSync2, mkdirSync, readFileSync, unlinkSync as unlinkSync2, writeFileSync, chmodSync } from "fs"; ... L32: import path from "path"; L33: var GGUF_URL = process.env.EXE_EMBED_MODEL_URL ?? ""; L34: var EXPECTED_SHA256 = process.env.EXE_EMBED_MODEL_SHA256 ?? ""; ... L103: resetInactivityTimer(); L104: if (!fileStream.write(value)) { L105: await new Promise((resolve) => fileStream.once("drain", resolve)); ... L134: if (attempt < MAX_RETRIES) { L135: process.stderr.write(` L136: Download attempt ${attempt} failed, retrying...
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/chunk-CR26FCFF.jsView on unpkg · L21
21Trigger-reachable chain: manifest.bin -> dist/bin/cli.js -> dist/setup-wizard-DX6WLYC5.js -> dist/chunk-CR26FCFF.js L21: import crypto from "crypto"; L22: import { execSync } from "child_process"; L23: import { existsSync as existsSync2, mkdirSync, readFileSync, unlinkSync as unlinkSync2, writeFileSync, chmodSync } from "fs"; ... L32: import path from "path"; L33: var GGUF_URL = process.env.EXE_EMBED_MODEL_URL ?? ""; L34: var EXPECTED_SHA256 = process.env.EXE_EMBED_MODEL_SHA256 ?? ""; ... L103: resetInactivityTimer(); L104: if (!fileStream.write(value)) { L105: await new Promise((resolve) => fileStream.once("drain", resolve)); ... L134: if (attempt < MAX_RETRIES) { L135: process.stderr.write(` L136: Download attempt ${attempt} failed, retrying...
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/chunk-CR26FCFF.jsView on unpkg · L21
289const HEAP_FLAG_RE = /^--(max[-_]old[-_]space[-_]size|max[-_]semi[-_]space[-_]size|max[-_]heap[-_]size)(=|$)/i; L290: const execArgv = [ L291: ...process.execArgv.filter((a) => !HEAP_FLAG_RE.test(a)),
High
Shell

Package source references shell execution.

dist/chunk-CR26FCFF.jsView on unpkg · L289
dist/bin/install.jsView file
92Install-time AI-agent control hijack evidence: L158: // src/bin/install.ts L159: import { existsSync, openSync, closeSync, writeFileSync, readFileSync, unlinkSync, statSync, mkdirSync, chmodSync, renameSync, readdirSync } from "fs"; L160: import { spawn, execSync } from "child_process"; ... L371: if (!existsSync(plistDir)) { L372: mkdirSync(plistDir, { recursive: true }); L373: } ... L390: } L391: writeFileSync(newPlistPath, finalPlistContent); L392: if (!reload) { ... L410: const binDir = path.join(home, ".exe-os", "bin"); L411: mkdirSync(binDir, { recursive: true }); L412: const shimPath = path.join(binDir, "exe-os-node"); Payload evidence from dist/bin/exe-launch-agent.js: L92: import { existsSync, readFileSync, mkdirSync, readdirSync } from "fs"; L93: import { spawn as spawnAsync } from "child_process"; L94: import { execSync } from "child_process"; ... L98: } catch (err) { L99: process.stderr.write(`[exe-launch-agent] roster load failed: ${err instanceof Error ? err.message : String(err)} L100: `); ... L142: function identityPathFor(agent) { L143: const dir = path.join(os.homedir(), ".exe-os", "identity"); L144: const exactPath = path.join(dir, `${agent}.md`); ... L165: funct…
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

dist/bin/install.jsView on unpkg · L92
dist/bin/deferred-daemon-restart.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @askexenow/exe-os@0.9.319 matchedIdentity = npm:QGFza2V4ZW5vdy9leGUtb3M:0.9.319 similarity = 0.567 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/bin/deferred-daemon-restart.jsView on unpkg
135Cross-file remote execution chain: dist/bin/deferred-daemon-restart.js spawns dist/chunk-3OEVDGIY.js; helper contains network access plus dynamic code execution. L135: import { existsSync, openSync, closeSync, writeFileSync, unlinkSync, readFileSync } from "fs"; L136: import { spawn, execSync } from "child_process"; L137: import path from "path"; L138: import os from "os"; L139: var EXE_DIR = path.join(os.homedir(), ".exe-os"); L140: var DAEMON_PORT = 48739; ... L144: try { L145: const pkg = JSON.parse(readFileSync(path.join(pkgRoot, "package.json"), "utf8")); L146: return pkg.version; ... L165: versionMismatchWarned = true; L166: process.stderr.write( L167: `[deferred-restart] daemon/client version mismatch (daemon ${daemonVersion}, client ${clientVersion}). Run: exe-os-install --global
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/bin/deferred-daemon-restart.jsView on unpkg · L135
dist/bin/exe-start.shView file
path = dist/bin/exe-start.sh kind = build_helper sizeBytes = 10038 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

dist/bin/exe-start.shView on unpkg

Findings

4 Critical4 High6 Medium6 Low
CriticalCredential Exfiltrationdist/chunk-CR26FCFF.js
CriticalAi Agent Control Hijackdist/bin/install.js
CriticalTrigger Reachable Dangerous Capabilitydist/chunk-CR26FCFF.js
CriticalPrevious Version Dangerous Deltadist/bin/deferred-daemon-restart.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/chunk-75H4R62K.js
HighShelldist/chunk-CR26FCFF.js
HighCross File Remote Execution Contextdist/bin/deferred-daemon-restart.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Require
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperdist/bin/exe-start.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License