registry  /  @geodesics-protocol/cli  /  0.2.2

@geodesics-protocol/cli@0.2.2

Geodesics swap skill CLI: gasless cross-chain swaps for agents.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack surface. Residual risk is explicit user-command setup that can install first-party agent skill instructions and save wallet credentials, plus user-invoked swap signing of real funds.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm global install prints banner; geodesics init/swap/activate trigger setup or wallet actions
Impact
Could move user wallet funds only when the user invokes swap/activate with configured credentials; can modify agent config only through interactive init choices.
Mechanism
interactive first-party agent skill setup and package-aligned swap signing
Rationale
Source inspection does not support a malicious verdict: the dangerous primitives are explicit, documented swap functionality, and the lifecycle hook is inert onboarding output. Because init can install first-party AI-agent skill files and credentials, warn rather than mark fully clean.
Evidence
package.jsonscripts/postinstall.mjsdist/index.jsSKILL.mdREADME.mdQUICKSTART.md.env~/.geodesics/.env.geodesics.json.claude/skills/geodesics/SKILL.md.cursor/rules/geodesics.mdcAGENTS.md~/.codex/AGENTS.md
Network endpoints6
api.geodesics.aiapi.mainnet-beta.solana.comrobinhood-mainnet.g.alchemy.com/v2rpc.mainnet.chain.robinhood.comapp.virtuals.io/acp/agentsbasescan.org/address/

Decision evidence

public snapshot
AI called this Suspicious at 84.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json defines postinstall, but scripts/postinstall.mjs only prints a global-install onboarding banner.
  • dist/index.js runInit can write AI-agent skill files to .claude, .cursor, AGENTS.md, or ~/.codex/AGENTS.md after interactive selection.
  • dist/index.js writes credentials to .env or ~/.geodesics/.env during geodesics init.
  • dist/index.js signs/submits wallet swap operations from explicit swap/activate commands using AGENT_SIGNER_PRIVATE_KEY.
Evidence against
  • No install-time credential harvesting, network call, file mutation, or broad agent config mutation found.
  • Wallet transfers/signatures are package-aligned cross-chain swap behavior and require explicit CLI commands and user-provided credentials.
  • Network calls go to configured Geodesics API, Solana/RPC providers, Privy adapter paths, or documented verification/status routes.
  • Packaged SKILL.md/README/QUICKSTART contain product instructions, not reviewer/prompt manipulation or hidden exfiltration instructions.
Behavioral surface
Source
CryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 354 KB of source, external domains: api.geodesics.ai, api.mainnet-beta.solana.com, app.virtuals.io, basescan.org, geodesics.ai, robinhood-mainnet.g.alchemy.com, robinhoodchain.blockscout.com, rpc.mainnet.chain.robinhood.com, viem.sh

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/index.jsView file
8import pc from 'picocolors'; L9: import { PublicKey, Connection, VersionedTransaction } from '@solana/web3.js'; L10: import { defineChain, formatUnits, erc20Abi, createPublicClient, http, encodeFunctionData } from 'viem'; ... L12: import { resolve, dirname, join } from 'path'; L13: import { randomBytes, createPrivateKey } from 'crypto'; L14: import { defineAlchemyChain, bsc, polygon, optimism, arbitrum, mainnet, base } from '@account-kit/infra'; ... L53: errorConfig = { L54: getDocsUrl: ({ docsBaseUrl, docsPath = "", docsSlug }) => docsPath ? `${docsBaseUrl ?? "https://viem.sh"}${docsPath}${docsSlug ? `#${docsSlug}` : ""}` : void 0, L55: version: `viem@${version}` ... L303: for (let index = 0, j = 0; index < length; index++) { L304: const nibbleLeft = charCodeToBase16(hexString.charCodeAt(j++)); L305: const nibbleRight = charCodeToBase16(hexString.charCodeAt(j++));
Critical
Wallet Drain

Source uses private key material to transfer cryptocurrency funds.

dist/index.jsView on unpkg · L8
8Trigger-reachable chain: manifest.bin -> dist/index.js L8: import pc from 'picocolors'; L9: import { PublicKey, Connection, VersionedTransaction } from '@solana/web3.js'; L10: import { defineChain, formatUnits, erc20Abi, createPublicClient, http, encodeFunctionData } from 'viem'; ... L12: import { resolve, dirname, join } from 'path'; L13: import { randomBytes, createPrivateKey } from 'crypto'; L14: import { defineAlchemyChain, bsc, polygon, optimism, arbitrum, mainnet, base } from '@account-kit/infra'; ... L53: errorConfig = { L54: getDocsUrl: ({ docsBaseUrl, docsPath = "", docsSlug }) => docsPath ? `${docsBaseUrl ?? "https://viem.sh"}${docsPath}${docsSlug ? `#${docsSlug}` : ""}` : void 0, L55: version: `viem@${version}` ... L303: for (let index = 0, j = 0; index < length; index++) { L304: const nibbleLeft = charCodeToBase16(hexString.charCodeAt(j++)); L305: const nibbleRight = charCodeToBase16(hexString.charCodeAt(j++));
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.jsView on unpkg · L8

Findings

2 Critical1 High4 Medium4 Low
CriticalWallet Draindist/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings