registry  /  @elnora-ai/cli  /  2.4.0

@elnora-ai/cli@2.4.0

Elnora AI Platform CLI

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `elnora setup`, `elnora setup codex`, `elnora setup cursor`, `elnora setup vscode`, or `elnora setup claude`.
Impact
Persists an Elnora MCP endpoint and API-key header in third-party AI-tool configuration; the package does not perform this during installation.
Mechanism
User-invoked AI-agent configuration and plugin setup.
Rationale
No concrete malicious install-time behavior, stealth persistence, or credential exfiltration was found. The explicit AI-agent configuration mutation warrants a warning under the firewall policy.
Evidence
package.jsonscripts/postinstall.mjsdist/cli.js~/.codex/mcp.json~/.cursor/mcp.json~/.vscode/mcp.json~/.claude/
Network endpoints2
mcp.elnora.ai/mcpgithub.com/Elnora-AI/elnora-plugins

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/cli.js` explicitly registers `elnora setup` commands that modify AI-tool configuration.
  • `dist/cli.js` writes an Elnora MCP server plus API-key header to `~/.codex/mcp.json`, `~/.cursor/mcp.json`, and `~/.vscode/mcp.json` after user invocation.
  • `dist/cli.js` runs `claude plugin marketplace add` and `claude plugin install` only through explicit `elnora setup claude`.
  • `dist/cli.js` supports an explicit `update --install` path that downloads release archives and extracts them with system tools.
Evidence against
  • `scripts/postinstall.mjs` only prints setup instructions and exits in CI or without a TTY; it performs no writes or network access.
  • No lifecycle script modifies agent configuration, starts a service, or executes downloaded content.
  • The HTTP MCP listener is started only by `elnora mcp serve`; it requires API-key validation.
  • No `eval`, `Function`, dynamic code loading, credential harvesting, or unexplained exfiltration was found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 207 KB of source, external domains: claude.ai, cli.elnora.ai, code.visualstudio.com, cursor.com, docs.elnora.ai, github.com, mcp.elnora.ai, platform.elnora.ai, registry.npmjs.org

Source & flagged code

7 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/cli.jsView file
2197// src/commands/open.ts L2198: import { exec } from "node:child_process"; L2199: var URLS = {
High
Child Process

Package source references child process execution.

dist/cli.jsView on unpkg · L2197
1341} L1342: const result = await cmd.execute(parsed, ctx); L1343: if (result != null) {
High
Shell

Package source references shell execution.

dist/cli.jsView on unpkg · L1341
32"use strict"; L33: VERSION = true ? "2.4.0" : process.env.npm[redacted] ?? "0.0.0-dev"; L34: PRODUCTION_BASE_URL = "https://platform.elnora.ai/api/v1"; L35: BASE_URL = process.env.ELNORA_API_URL ?? PRODUCTION_BASE_URL; ... L177: } L178: function getExitCode(err) { L179: for (const [ErrorClass, code] of EXIT_CODES) { ... L368: mkdirSync(dir, { recursive: true }); L369: if (process.platform !== "win32") { L370: try { ... L482: init_errors(); L483: CONFIG_DIR = join(homedir(), ".elnora");
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/cli.jsView on unpkg · L32
32Detached bundled service listener: dist/cli.js launches a Node helper and exposes a broad-bound HTTP listener. L32: "use strict"; L33: VERSION = true ? "2.4.0" : process.env.npm[redacted] ?? "0.0.0-dev"; L34: PRODUCTION_BASE_URL = "https://platform.elnora.ai/api/v1"; L35: BASE_URL = process.env.ELNORA_API_URL ?? PRODUCTION_BASE_URL; ... L177: } L178: function getExitCode(err) { L179: for (const [ErrorClass, code] of EXIT_CODES) { ... L368: mkdirSync(dir, { recursive: true }); L369: if (process.platform !== "win32") { L370: try { ... L482: init_errors(); L483: CONFIG_DIR = join(homedir(), ".elnora");
High
Spawned Bundled Service Listener

Source launches a detached bundled service that exposes a broad-bound HTTP listener.

dist/cli.jsView on unpkg · L32
matchType = previous_version_dangerous_delta matchedPackage = @elnora-ai/cli@2.5.1 matchedIdentity = npm:QGVsbm9yYS1haS9jbGk:2.5.1 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli.jsView on unpkg

Findings

6 High4 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/cli.js
HighShelldist/cli.js
HighSandbox Evasion Gated Capabilitydist/cli.js
HighSpawned Bundled Service Listenerdist/cli.js
HighPrevious Version Dangerous Deltadist/cli.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings