registry  /  @daileyos/cli  /  0.19.0

@daileyos/cli@0.19.0

Dailey OS CLI

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs `dailey mcp sync-key` or `dailey setup`; other network behavior occurs when users invoke CLI subcommands.
Impact
Can add Dailey MCP server entries and optionally embed a Dailey API token; no install-time hijack, exfiltration, or destructive behavior confirmed.
Mechanism
User-invoked Dailey API client and MCP config writer
Rationale
Static inspection shows a legitimate Dailey OS CLI with package-aligned API calls and explicit user-invoked MCP setup, but no install-time mutation, hidden execution, credential exfiltration, or destructive behavior. Because it can modify broad AI-agent config surfaces on command, downgrade to warn rather than block.
Evidence
package.jsondist/index.jsdist/api.jsdist/auth.jsdist/lib/mcpConfig.jsdist/commands/mcp.jsdist/commands/setup.jsdist/commands/db.jsdist/commands/local.jsdist/commands/dailey-images.js~/.claude.json~/.codex/config.toml~/.config/opencode/opencode.json~/.cursor/mcp.json.env.dailey-local
Network endpoints4
os.dailey.cloud/apios.dailey.cloud/settingsgithub.com127.0.0.1

Decision evidence

public snapshot
AI called this Suspicious at 87.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/lib/mcpConfig.js writes Claude, Codex, OpenCode, and Cursor MCP config files under the user's home directory.
  • dist/commands/mcp.js exposes `dailey mcp sync-key`, which can mint and embed a DAILEY_API_TOKEN when `--bake` is used.
  • dist/commands/setup.js can run `gh auth login` and configure MCP during an explicit guided setup command.
  • dist/commands/db.js opens an authenticated local DB tunnel over WebSocket to the Dailey API origin.
Evidence against
  • package.json has no preinstall/install/postinstall hook; only prepublishOnly build/smoke scripts.
  • dist/index.js only registers commander subcommands; no import-time credential harvesting or remote code execution found.
  • Network calls are aligned with the Dailey CLI purpose and default to https://os.dailey.cloud/api.
  • MCP config mutation is user-invoked via `mcp sync-key` or `setup`, not install-time or hidden.
  • Config writers preserve/merge existing configs and create token-free entries by default; baked tokens are optional and written mode 0600.
  • No eval/vm/new Function/native binary loading or broad filesystem harvesting found in inspected files.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 85 file(s), 522 KB of source, external domains: checkout.stripe.com, cli.github.com, docs.dailey.cloud, oldsite.com, os.dailey.cloud

Source & flagged code

2 flagged · loading source
dist/commands/db.jsView file
798patternName = generic_password severity = medium line = 798 matchedText = password...ue);
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/commands/db.jsView on unpkg · L798
src/commands/db.tsView file
912patternName = generic_password severity = medium line = 912 matchedText = password...ue);
Medium
Secret Pattern

Hardcoded password in src/commands/db.ts

src/commands/db.tsView on unpkg · L912

Findings

4 Medium6 Low
MediumSecret Patterndist/commands/db.js
MediumNetwork
MediumEnvironment Vars
MediumSecret Patternsrc/commands/db.ts
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License