registry  /  @getaimd/cli  /  1.0.2

@getaimd/cli@1.0.2

Zero-friction CLI client for AIMD Marketplace — install packages, run SEM runbooks, and audit your workspace.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

A user-invoked `pull` or `install` downloads a marketplace archive and extracts it without validating entry paths. A malicious archive can escape the intended target directory and overwrite files accessible to the CLI user.

Static reason
One or more suspicious static signals were detected.
Trigger
Authenticated user runs `aimd pull` or `aimd install` against a malicious marketplace listing.
Impact
Arbitrary file overwrite; a staged archive may subsequently cause code execution through overwritten project or user files.
Mechanism
Unvalidated ZIP extraction path traversal (Zip Slip).
Rationale
Source inspection found a concrete remote-archive path traversal vulnerability, but no evidence that this package independently performs malicious or unconsented install-time actions. Flag it as a warning rather than a publication block.
Evidence
package.jsonbin/aimd.jsdist/index.jsdist/compliance/secrets.jsdist/compliance/scanner.jsdist/utils/ignore.js
Network endpoints2
localhost:3000/api/cli/pulllocalhost:3000/api/media/download?path=...

Decision evidence

public snapshot
AI called this Suspicious at 92.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
  • `dist/index.js` extracts remote ZIP entries with `path.join(targetDir, filename)` without traversal validation.
  • `pull`/`install` fetch archives from the configured AIMD server and write every ZIP entry.
  • `run` executes explicitly annotated Markdown shell blocks after displaying each command and prompting.
  • `hook install` explicitly writes only `.git/hooks/pre-commit` when user invokes it.
Evidence against
  • `package.json` has no preinstall, install, or postinstall lifecycle hook.
  • `bin/aimd.js` only imports the CLI entrypoint; actions require a named CLI command.
  • The secret regexes in `dist/compliance/secrets.js` are local audit patterns, not embedded credentials.
  • No hidden endpoint, credential exfiltration, persistence, or foreign AI-agent configuration write was found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 7 file(s), 155 KB of source, external domains: api.osv.dev

Source & flagged code

5 flagged · loading source
dist/compliance/secrets.jsView file
62patternName = private_key_rsa severity = critical line = 62 matchedText = return "...D]";
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/compliance/secrets.jsView on unpkg · L62
62patternName = private_key_rsa severity = critical line = 62 matchedText = return "...D]";
Critical
Secret Pattern

RSA private key in dist/compliance/secrets.js

dist/compliance/secrets.jsView on unpkg · L62
dist/index.jsView file
6import JSZip from "jszip"; L7: import { spawn } from "child_process"; L8: import { runLocalComplianceScan } from "./compliance/scanner.js";
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L6
643const child = spawn(command, { L644: shell: true, L645: env: { ...cleanEnv, ...env },
High
Shell

Package source references shell execution.

dist/index.jsView on unpkg · L643
6import JSZip from "jszip"; L7: import { spawn } from "child_process"; L8: import { runLocalComplianceScan } from "./compliance/scanner.js"; ... L20: // Default local server fallback L21: const getServerUrl = () => process.env.AIMD_SERVER_URL || "http://localhost:3000"; L22: const CRYPTO_ALGORITHM = "aes-256-gcm";
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.jsView on unpkg · L6

Findings

2 Critical3 High2 Medium5 Low
CriticalCritical Secretdist/compliance/secrets.js
CriticalSecret Patterndist/compliance/secrets.js
HighChild Processdist/index.js
HighShelldist/index.js
HighSame File Env Network Executiondist/index.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings