registry  /  @askexenow/exe-os  /  0.9.336

@askexenow/exe-os@0.9.336

AI employee operating system — persistent memory, task management, and multi-agent coordination for Claude Code.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. The npm postinstall lifecycle mutates Claude Code agent control surfaces in the user's home directory without explicit user invocation. It plants package-supplied skills immediately and, for existing setups, refreshes MCP registration, hooks, and daemon supervisor state.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
npm install of @askexenow/exe-os@0.9.336
Impact
Claude/Codex sessions may load package-supplied skills, MCP servers, and hooks from user-level agent config after package installation.
Mechanism
unconsented lifecycle mutation of broad AI-agent configuration
Policy narrative
On npm install, the postinstall script runs dist/bin/install.js --commands-only. That code calls copySlashCommands, which writes package command content into ~/.claude/skills before any setup-state gate. If exe-os was previously configured, the same lifecycle path also updates Claude MCP and hook configuration and daemon supervisor files, giving the package standing agent-facing execution surfaces without a fresh explicit opt-in.
Rationale
This matches the firewall policy's blockable case: lifecycle-triggered, unconsented writes into foreign/broad AI-agent control surfaces such as ~/.claude skills, ~/.claude.json MCP, and Claude settings hooks. The package appears product-aligned, but the delivery mechanism itself is the concrete attack behavior under the install-control-surface rule.
Evidence
package.jsondist/bin/install.jsdist/chunk-EVV2G3CW.jsdist/installer-EGY5GPB7.jsdist/bin/deferred-daemon-restart.jsdist/chunk-OG5CXUHI.js~/.claude/skills/*/SKILL.md~/.claude.json~/.claude/settings.json~/.codex/hooks.json~/.codex/config.toml~/Library/LaunchAgents/com.askexe.exed.plist~/.config/systemd/user/exe-os.service
Network endpoints3
api.askexe.comaskexe.com127.0.0.1:48739/health

Decision evidence

public snapshot
AI called this Malicious at 93.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
  • package.json runs postinstall: node dist/bin/install.js --commands-only || true
  • dist/bin/install.js postinstall path calls copySlashCommands before checking setup state
  • dist/chunk-EVV2G3CW.js copies package src/commands/*.md into ~/.claude/skills/*/SKILL.md
  • If setup already exists, postinstall also registers ~/.claude.json MCP and ~/.claude/settings.json hooks
  • dist/installer-EGY5GPB7.js global install mutates ~/.codex/hooks.json and ~/.codex/config.toml
  • Installer creates launchd/systemd daemon supervisors and deferred restart files under user home
Evidence against
  • Network endpoints seen are package-aligned askexe.com/api.askexe.com or local daemon endpoints
  • Cloud activation in dist/chunk-OG5CXUHI.js is interactive/env-driven setup, not the postinstall path
  • No evidence of arbitrary remote code download executed during postinstall; daemon uses packaged dist/lib/exe-daemon.js
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 518 file(s), 5.13 MB of source, external domains: 127.0.0.1, api.anthropic.com, api.askexe.com, api.cloudflare.com, api.github.com, api.openai.com, api.telegram.org, app.asana.com, askexe.com, auth.changeme, claude.com, cloud.askexe.com, crm.changeme, developers.hostinger.com, download.docker.com, erp.changeme, gateway.askexe.com, ghcr.io, github.com, graph.facebook.com, monitor.askexe.com, nodejs.org, opencode.ai, openrouter.ai, unpkg.com, update.askexe.com, wiki.changeme, www.apple.com

Source & flagged code

13 flagged · loading source
package.jsonView file
scripts.postinstall = node dist/bin/install.js --commands-only || true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node dist/bin/install.js --commands-only || true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/chunk-75H4R62K.jsView file
1// src/lib/cc-binary-detect.ts L2: import { execSync } from "child_process"; L3: import { existsSync, readFileSync, readdirSync } from "fs";
High
Child Process

Package source references child process execution.

dist/chunk-75H4R62K.jsView on unpkg · L1
dist/chunk-OG5CXUHI.jsView file
22import crypto from "crypto"; L23: import { execSync } from "child_process"; L24: import { existsSync as existsSync2, mkdirSync, readFileSync, unlinkSync as unlinkSync2, writeFileSync, chmodSync } from "fs"; ... L33: import path from "path"; L34: var GGUF_URL = process.env.EXE_EMBED_MODEL_URL ?? ""; L35: var EXPECTED_SHA256 = process.env.EXE_EMBED_MODEL_SHA256 ?? ""; ... L104: resetInactivityTimer(); L105: if (!fileStream.write(value)) { L106: await new Promise((resolve) => fileStream.once("drain", resolve)); ... L135: if (attempt < MAX_RETRIES) { L136: process.stderr.write(` L137: Download attempt ${attempt} failed, retrying...
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/chunk-OG5CXUHI.jsView on unpkg · L22
22Trigger-reachable chain: manifest.bin -> dist/bin/cli.js -> dist/setup-wizard-X6HICSAF.js -> dist/chunk-OG5CXUHI.js L22: import crypto from "crypto"; L23: import { execSync } from "child_process"; L24: import { existsSync as existsSync2, mkdirSync, readFileSync, unlinkSync as unlinkSync2, writeFileSync, chmodSync } from "fs"; ... L33: import path from "path"; L34: var GGUF_URL = process.env.EXE_EMBED_MODEL_URL ?? ""; L35: var EXPECTED_SHA256 = process.env.EXE_EMBED_MODEL_SHA256 ?? ""; ... L104: resetInactivityTimer(); L105: if (!fileStream.write(value)) { L106: await new Promise((resolve) => fileStream.once("drain", resolve)); ... L135: if (attempt < MAX_RETRIES) { L136: process.stderr.write(` L137: Download attempt ${attempt} failed, retrying...
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/chunk-OG5CXUHI.jsView on unpkg · L22
305const HEAP_FLAG_RE = /^--(max[-_]old[-_]space[-_]size|max[-_]semi[-_]space[-_]size|max[-_]heap[-_]size)(=|$)/i; L306: const execArgv = [ L307: ...process.execArgv.filter((a) => !HEAP_FLAG_RE.test(a)),
High
Shell

Package source references shell execution.

dist/chunk-OG5CXUHI.jsView on unpkg · L305
dist/chunk-XZHA3WO2.jsView file
419try { L420: const { loadAgentConfig, saveAgentConfig } = await import("./lib/agent-config.js"); L421: const config = loadAgentConfig();
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/chunk-XZHA3WO2.jsView on unpkg · L419
dist/chunk-KADUJ7PE.jsView file
12import { readFileSync, writeFileSync, mkdirSync, existsSync, readdirSync } from "fs"; L13: import { execSync } from "child_process"; L14: import path from "path"; ... L121: try { L122: cfg = JSON.parse(readFileSync(configPath, "utf8")); L123: } catch { ... L126: const sentinelPath = path.join(exeDir, "embeddings-enabled"); L127: if (process.env.EXE_EMBEDDINGS !== void 0 || existsSync(sentinelPath) || cfg) { L128: return resolveEmbeddingsEnabled(process.env.EXE_EMBEDDINGS, cfg, sentinelPath); ... L137: function main() { L138: const HOME = os.homedir(); L139: const PLIST_NAME = "com.askexe.exed.plist";
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/chunk-KADUJ7PE.jsView on unpkg · L12
dist/project-boot-27QXVGY3.jsView file
8import path from "path"; L9: import { execSync } from "child_process"; L10: import { existsSync, readFileSync } from "fs"; L11: import net from "net"; L12: var DAEMON_URL = "http://127.0.0.1:48739"; L13: var EXE_DIR = process.env.EXE_OS_DIR ?? process.env.EXE_MEM_DIR ?? path.join(process.env.HOME ?? "/tmp", ".exe-os"); L14: var SOCK_PATH = path.join(EXE_DIR, "exed.sock");
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/project-boot-27QXVGY3.jsView on unpkg · L8
dist/bin/install.jsView file
92Install-time AI-agent control hijack evidence: L160: // src/bin/install.ts L161: import { existsSync, openSync, closeSync, writeFileSync, readFileSync, unlinkSync, statSync, mkdirSync, chmodSync, renameSync, readdirSync } from "fs"; L162: import { spawn, execSync } from "child_process"; ... L381: if (!existsSync(plistDir)) { L382: mkdirSync(plistDir, { recursive: true }); L383: } ... L400: } L401: writeFileSync(newPlistPath, finalPlistContent); L402: if (!reload) { ... L420: const binDir = path.join(home, ".exe-os", "bin"); L421: mkdirSync(binDir, { recursive: true }); L422: const shimPath = path.join(binDir, "exe-os-node"); Payload evidence from dist/bin/exe-launch-agent.js: L92: import { existsSync, readFileSync, mkdirSync, readdirSync } from "fs"; L93: import { spawn as spawnAsync } from "child_process"; L94: import { execSync } from "child_process"; ... L98: } catch (err) { L99: process.stderr.write(`[exe-launch-agent] roster load failed: ${err instanceof Error ? err.message : String(err)} L100: `); ... L142: function identityPathFor(agent) { L143: const dir = path.join(os.homedir(), ".exe-os", "identity"); L144: const exactPath = path.join(dir, `${agent}.md`); ... L165: funct…
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

dist/bin/install.jsView on unpkg · L92
dist/bin/deferred-daemon-restart.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @askexenow/exe-os@0.9.319 matchedIdentity = npm:QGFza2V4ZW5vdy9leGUtb3M:0.9.319 similarity = 0.508 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/bin/deferred-daemon-restart.jsView on unpkg
135Cross-file remote execution chain: dist/bin/deferred-daemon-restart.js spawns dist/chunk-3OEVDGIY.js; helper contains network access plus dynamic code execution. L135: import { existsSync, openSync, closeSync, writeFileSync, unlinkSync, readFileSync } from "fs"; L136: import { spawn, execSync } from "child_process"; L137: import path from "path"; L138: import os from "os"; L139: var EXE_DIR = path.join(os.homedir(), ".exe-os"); L140: var DAEMON_PORT = 48739; ... L144: try { L145: const pkg = JSON.parse(readFileSync(path.join(pkgRoot, "package.json"), "utf8")); L146: return pkg.version; ... L165: versionMismatchWarned = true; L166: process.stderr.write( L167: `[deferred-restart] daemon/client version mismatch (daemon ${daemonVersion}, client ${clientVersion}). Run: exe-os-install --global
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/bin/deferred-daemon-restart.jsView on unpkg · L135
dist/bin/exe-start.shView file
path = dist/bin/exe-start.sh kind = build_helper sizeBytes = 10038 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

dist/bin/exe-start.shView on unpkg

Findings

4 Critical5 High7 Medium6 Low
CriticalCredential Exfiltrationdist/chunk-OG5CXUHI.js
CriticalAi Agent Control Hijackdist/bin/install.js
CriticalTrigger Reachable Dangerous Capabilitydist/chunk-OG5CXUHI.js
CriticalPrevious Version Dangerous Deltadist/bin/deferred-daemon-restart.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/chunk-75H4R62K.js
HighShelldist/chunk-OG5CXUHI.js
HighSame File Env Network Executiondist/project-boot-27QXVGY3.js
HighCross File Remote Execution Contextdist/bin/deferred-daemon-restart.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/chunk-XZHA3WO2.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/chunk-KADUJ7PE.js
MediumShips Build Helperdist/bin/exe-start.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License