registry  /  @askexenow/exe-os  /  0.9.327

@askexenow/exe-os@0.9.327

⚠ Under review

AI employee operating system — persistent memory, task management, and multi-agent coordination for Claude Code.

Static Scan Results

scanned 4h ago · by rust-scanner

Static analysis flagged 25 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 516 file(s), 5.11 MB of source, external domains: 127.0.0.1, api.anthropic.com, api.askexe.com, api.cloudflare.com, api.github.com, api.openai.com, api.telegram.org, app.asana.com, askexe.com, auth.changeme, claude.com, cloud.askexe.com, crm.changeme, developers.hostinger.com, download.docker.com, erp.changeme, gateway.askexe.com, ghcr.io, github.com, graph.facebook.com, monitor.askexe.com, nodejs.org, opencode.ai, openrouter.ai, unpkg.com, update.askexe.com, wiki.changeme, www.apple.com

Source & flagged code

16 flagged · loading source
package.jsonView file
scripts.postinstall = node dist/bin/install.js --commands-only || true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node dist/bin/install.js --commands-only || true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/chunk-75H4R62K.jsView file
1// src/lib/cc-binary-detect.ts L2: import { execSync } from "child_process"; L3: import { existsSync, readFileSync, readdirSync } from "fs";
High
Child Process

Package source references child process execution.

dist/chunk-75H4R62K.jsView on unpkg · L1
dist/bin/install.jsView file
92Install-time AI-agent control hijack evidence: L160: // src/bin/install.ts L161: import { existsSync, openSync, closeSync, writeFileSync, readFileSync, unlinkSync, statSync, mkdirSync, chmodSync, renameSync, readdirSync } from "fs"; L162: import { spawn, execSync } from "child_process"; ... L381: if (!existsSync(plistDir)) { L382: mkdirSync(plistDir, { recursive: true }); L383: } ... L400: } L401: writeFileSync(newPlistPath, finalPlistContent); L402: if (!reload) { ... L420: const binDir = path.join(home, ".exe-os", "bin"); L421: mkdirSync(binDir, { recursive: true }); L422: const shimPath = path.join(binDir, "exe-os-node"); Payload evidence from dist/bin/exe-launch-agent.js: L92: import { existsSync, readFileSync, mkdirSync, readdirSync } from "fs"; L93: import { spawn as spawnAsync } from "child_process"; L94: import { execSync } from "child_process"; ... L98: } catch (err) { L99: process.stderr.write(`[exe-launch-agent] roster load failed: ${err instanceof Error ? err.message : String(err)} L100: `); ... L142: function identityPathFor(agent) { L143: const dir = path.join(os.homedir(), ".exe-os", "identity"); L144: const exactPath = path.join(dir, `${agent}.md`); ... L165: funct…
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

dist/bin/install.jsView on unpkg · L92
867process.stderr.write( L868: "\nexe-os does not support native Windows. Use WSL2 instead:\n 1. Run `wsl --install` in PowerShell\n 2. Open Ubuntu/WSL2\n 3. Install and run exe-os inside WSL2\n\n" L869: );
High
Shell

Package source references shell execution.

dist/bin/install.jsView on unpkg · L867
dist/chunk-4TATUT6T.jsView file
167if (!process.env.DATABASE_URL) process.env.DATABASE_URL = url; L168: const { createRequire } = await import("module"); L169: const { pathToFileURL } = await import("url");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/chunk-4TATUT6T.jsView on unpkg · L167
dist/chunk-KADUJ7PE.jsView file
12import { readFileSync, writeFileSync, mkdirSync, existsSync, readdirSync } from "fs"; L13: import { execSync } from "child_process"; L14: import path from "path"; ... L121: try { L122: cfg = JSON.parse(readFileSync(configPath, "utf8")); L123: } catch { ... L126: const sentinelPath = path.join(exeDir, "embeddings-enabled"); L127: if (process.env.EXE_EMBEDDINGS !== void 0 || existsSync(sentinelPath) || cfg) { L128: return resolveEmbeddingsEnabled(process.env.EXE_EMBEDDINGS, cfg, sentinelPath); ... L137: function main() { L138: const HOME = os.homedir(); L139: const PLIST_NAME = "com.askexe.exed.plist";
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/chunk-KADUJ7PE.jsView on unpkg · L12
dist/bin/exe-watchdog.jsView file
12import { randomUUID } from "crypto"; L13: import { spawn } from "child_process"; L14: import { get } from "http"; L15: import { join } from "path"; ... L17: import { homedir, userInfo, loadavg, cpus, platform } from "os"; L18: var EXE_DIR = process.env.EXE_OS_DIR ?? process.env.EXE_MEM_DIR ?? join(homedir(), ".exe-os"); L19: var PID_PATH = join(EXE_DIR, "exed.pid");
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/bin/exe-watchdog.jsView on unpkg · L12
dist/chunk-TTXESWLS.jsView file
22import crypto from "crypto"; L23: import { execSync } from "child_process"; L24: import { existsSync as existsSync2, mkdirSync, readFileSync, unlinkSync as unlinkSync2, writeFileSync, chmodSync } from "fs"; ... L33: import path from "path"; L34: var GGUF_URL = process.env.EXE_EMBED_MODEL_URL ?? ""; L35: var EXPECTED_SHA256 = process.env.EXE_EMBED_MODEL_SHA256 ?? ""; ... L104: resetInactivityTimer(); L105: if (!fileStream.write(value)) { L106: await new Promise((resolve) => fileStream.once("drain", resolve)); ... L135: if (attempt < MAX_RETRIES) { L136: process.stderr.write(` L137: Download attempt ${attempt} failed, retrying...
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/chunk-TTXESWLS.jsView on unpkg · L22
22Trigger-reachable chain: manifest.bin -> dist/bin/cli.js -> dist/setup-wizard-J6IU42MO.js -> dist/chunk-TTXESWLS.js L22: import crypto from "crypto"; L23: import { execSync } from "child_process"; L24: import { existsSync as existsSync2, mkdirSync, readFileSync, unlinkSync as unlinkSync2, writeFileSync, chmodSync } from "fs"; ... L33: import path from "path"; L34: var GGUF_URL = process.env.EXE_EMBED_MODEL_URL ?? ""; L35: var EXPECTED_SHA256 = process.env.EXE_EMBED_MODEL_SHA256 ?? ""; ... L104: resetInactivityTimer(); L105: if (!fileStream.write(value)) { L106: await new Promise((resolve) => fileStream.once("drain", resolve)); ... L135: if (attempt < MAX_RETRIES) { L136: process.stderr.write(` L137: Download attempt ${attempt} failed, retrying...
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/chunk-TTXESWLS.jsView on unpkg · L22
dist/chunk-7TS64TBG.jsView file
15// src/lib/exe-daemon-client.ts L16: import net from "net"; L17: import os from "os"; L18: import { spawn, execSync } from "child_process"; L19: import { randomUUID } from "crypto"; ... L26: function debugLog(msg) { L27: if (isDebug()) process.stderr.write(msg.endsWith("\n") ? msg : msg + "\n"); L28: }
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/chunk-7TS64TBG.jsView on unpkg · L15
dist/bin/cli.jsView file
7async function configureProxyFromEnv() { L8: if (!process.env.HTTP_PROXY && !process.env.HTTPS_PROXY && !process.env.NO_PROXY) return; L9: try { L10: const { setGlobalDispatcher, EnvHttpProxyAgent } = await import("undici"); L11: setGlobalDispatcher(new EnvHttpProxyAgent()); L12: } catch { L13: process.stderr.write("exe-os: HTTP(S)_PROXY is set, but undici proxy support is unavailable; continuing without global proxy.\n"); L14: } ... L26: var args = process.argv.slice(2); L27: if (process.platform === "win32") { L28: process.stderr.write( L29: "\nexe-os does not support native Windows. Use WSL2 instead:\n 1. Run `wsl --install` in PowerShell\n 2. Open Ubuntu/WSL2\n 3. Install and run exe-os inside WSL2\n\n"
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/bin/cli.jsView on unpkg · L7
dist/bin/deferred-daemon-restart.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @askexenow/exe-os@0.9.319 matchedIdentity = npm:QGFza2V4ZW5vdy9leGUtb3M:0.9.319 similarity = 0.533 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/bin/deferred-daemon-restart.jsView on unpkg
135Cross-file remote execution chain: dist/bin/deferred-daemon-restart.js spawns dist/chunk-3OEVDGIY.js; helper contains network access plus dynamic code execution. L135: import { existsSync, openSync, closeSync, writeFileSync, unlinkSync, readFileSync } from "fs"; L136: import { spawn, execSync } from "child_process"; L137: import path from "path"; L138: import os from "os"; L139: var EXE_DIR = path.join(os.homedir(), ".exe-os"); L140: var DAEMON_PORT = 48739; ... L144: try { L145: const pkg = JSON.parse(readFileSync(path.join(pkgRoot, "package.json"), "utf8")); L146: return pkg.version; ... L165: versionMismatchWarned = true; L166: process.stderr.write( L167: `[deferred-restart] daemon/client version mismatch (daemon ${daemonVersion}, client ${clientVersion}). Run: exe-os-install --global
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/bin/deferred-daemon-restart.jsView on unpkg · L135
dist/bin/update.jsView file
149try { L150: execSync(`npm install -g @askexenow/exe-os@${manifest.version}`, { L151: stdio: ["pipe", "pipe", "inherit"],
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/bin/update.jsView on unpkg · L149
dist/bin/exe-start.shView file
path = dist/bin/exe-start.sh kind = build_helper sizeBytes = 10038 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

dist/bin/exe-start.shView on unpkg

Findings

4 Critical8 High7 Medium6 Low
CriticalCredential Exfiltrationdist/chunk-TTXESWLS.js
CriticalAi Agent Control Hijackdist/bin/install.js
CriticalTrigger Reachable Dangerous Capabilitydist/chunk-TTXESWLS.js
CriticalPrevious Version Dangerous Deltadist/bin/deferred-daemon-restart.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/chunk-75H4R62K.js
HighShelldist/bin/install.js
HighSame File Env Network Executiondist/bin/exe-watchdog.js
HighCommand Output Exfiltrationdist/chunk-7TS64TBG.js
HighSandbox Evasion Gated Capabilitydist/bin/cli.js
HighCross File Remote Execution Contextdist/bin/deferred-daemon-restart.js
HighRuntime Package Installdist/bin/update.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/chunk-4TATUT6T.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/chunk-KADUJ7PE.js
MediumShips Build Helperdist/bin/exe-start.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License