AI Security Review
scanned 3h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs `dailey mcp sync-key` or `dailey setup`; other network behavior occurs when users invoke CLI subcommands.
Impact
Can add Dailey MCP server entries and optionally embed a Dailey API token; no install-time hijack, exfiltration, or destructive behavior confirmed.
Mechanism
User-invoked Dailey API client and MCP config writer
Rationale
Static inspection shows a legitimate Dailey OS CLI with package-aligned API calls and explicit user-invoked MCP setup, but no install-time mutation, hidden execution, credential exfiltration, or destructive behavior. Because it can modify broad AI-agent config surfaces on command, downgrade to warn rather than block.
Evidence
package.jsondist/index.jsdist/api.jsdist/auth.jsdist/lib/mcpConfig.jsdist/commands/mcp.jsdist/commands/setup.jsdist/commands/db.jsdist/commands/local.jsdist/commands/dailey-images.js~/.claude.json~/.codex/config.toml~/.config/opencode/opencode.json~/.cursor/mcp.json.env.dailey-local
Network endpoints4
os.dailey.cloud/apios.dailey.cloud/settingsgithub.com127.0.0.1
Decision evidence
public snapshotAI called this Suspicious at 87.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- dist/lib/mcpConfig.js writes Claude, Codex, OpenCode, and Cursor MCP config files under the user's home directory.
- dist/commands/mcp.js exposes `dailey mcp sync-key`, which can mint and embed a DAILEY_API_TOKEN when `--bake` is used.
- dist/commands/setup.js can run `gh auth login` and configure MCP during an explicit guided setup command.
- dist/commands/db.js opens an authenticated local DB tunnel over WebSocket to the Dailey API origin.
Evidence against
- package.json has no preinstall/install/postinstall hook; only prepublishOnly build/smoke scripts.
- dist/index.js only registers commander subcommands; no import-time credential harvesting or remote code execution found.
- Network calls are aligned with the Dailey CLI purpose and default to https://os.dailey.cloud/api.
- MCP config mutation is user-invoked via `mcp sync-key` or `setup`, not install-time or hidden.
- Config writers preserve/merge existing configs and create token-free entries by default; baked tokens are optional and written mode 0600.
- No eval/vm/new Function/native binary loading or broad filesystem harvesting found in inspected files.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkWebSocket
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcedist/commands/db.jsView file
798patternName = generic_password
severity = medium
line = 798
matchedText = password...ue);
Medium
src/commands/db.tsView file
912patternName = generic_password
severity = medium
line = 912
matchedText = password...ue);
Medium
Findings
4 Medium6 Low
MediumSecret Patterndist/commands/db.js
MediumNetwork
MediumEnvironment Vars
MediumSecret Patternsrc/commands/db.ts
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License