registry  /  @hiperplano/aluy-cli  /  1.0.0-rc.101

@hiperplano/aluy-cli@1.0.0-rc.101

Aluy CLI — TUI (Ink) + binário `aluy` + wiring. Consome @hiperplano/aluy-cli-core (engine portável). Credenciais só no keychain do SO.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. This is a user-invoked terminal agent that can execute approved commands and contact configured LLM providers; the inspected source contains permission controls and SSRF blocking.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
Explicit execution of `aluy` commands, including interactive agent sessions or optional bootstrap.
Impact
Normal CLI-agent capability; no unconsented install-time action or command-output exfiltration was confirmed.
Mechanism
User-directed agent tooling with configured provider and local sidecar connectivity.
Rationale
Scanner findings conflate intentional CLI-agent functionality with malicious behavior. Direct source inspection found no lifecycle trigger or concrete exfiltration/persistence chain, while the metadata endpoint reference is a blocklist check.
Evidence
package.jsondist-bundle/bin/aluy.jsdist-bundle/index.jsassets/mem0/aluy-mem0-server.pyREADME.md

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `dist-bundle/bin/aluy.js` implements a CLI agent capable of user-directed shell commands and optional bootstrap actions.
Evidence against
  • `package.json` contains no preinstall, install, postinstall, or prepare hook.
  • `dist-bundle/bin/aluy.js` dispatches bootstrap, uninstall, login, and session features only from explicit CLI subcommands.
  • The cloud-metadata string is in an anti-SSRF denylist that blocks `169.254.169.254` and private/link-local targets.
  • Provider requests target configured BYO LLM endpoints; no source path was found sending shell output or harvested credentials to an attacker endpoint.
  • Credentials are handled through `@napi-rs/keyring`; the included Python memory sidecar binds to `127.0.0.1`.
  • No stealth persistence, foreign AI-agent config mutation, payload download-and-execute chain, or install-time execution was found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNativeBindingsNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
Manifest
NoLicense
scanned 2 file(s), 2.00 MB of source, external domains: 127.0.0.1, api.aluy.app, api.anthropic.com, api.deepseek.com, api.groq.com, api.mistral.ai, api.openai.com, api.telegram.org, api.x.ai, auth.openai.com, broker.dev.aluy.example, claude.ai, console.anthropic.com, duckduckgo.com, generativelanguage.googleapis.com, github.com, ollama.com, openrouter.ai, registry.npmjs.org

Source & flagged code

10 flagged · loading source
dist-bundle/bin/aluy.jsView file
132${n.snippet}`.trimEnd());return[`Resultados de busca para "${t}" (DuckDuckGo):`,...o,"","(As URLs acima N\xC3O foram buscadas. Para abrir uma, use web_fetch \u2014 ela passar\xE1 n... L133: `)}var KG,YG,tM,VG,oM,Kp,rM=h(()=>{"use strict";Kr();zp();Bx();KG=8;YG=Object.freeze({type:"object",properties:{url:{type:"string",description:"OBRIGAT\xD3RIO. A URL http(s) a busc... L134: ... L138: ${t.trim()}`}}function fM(t,e,o=ad){let{older:n,recent:r}=Jp(t,o);if(n.length===0)return{history:t,stats:{turnsBefore:t.length,turnsAfter:t.length,summarizedTurns:0}};let s=[mM(e,n... L139: `),ad=4,Vp=1500,Xp=.4,Yp=48e3;Hi=class extends Error{constructor(){super("hist\xF3rico curto demais \u2014 nada a compactar."),this.name="NothingToCompactError"}},id=class{model;ke... L140: `;case"t":return" ";case"r":return"\r";case'"':return'"';case"\\":return"\\";default:throw new ye(`config.toml:${e}: escape n\xE3o suportado "\\${i}".`)}})}function g9(t,e,o){let n... ... L143: `)}function I9(t,e){return t.length<=e?t:t.slice(0,e-1).trimEnd()+"\u2026"}var eL=h(()=>{"use strict"});var tL=h(()=>{"use strict";dh();BM();UM();jM();HM();WM();sk();Rf();XM();eL()... L144: `,r;try{r=ez(o,RS.O_CREAT|RS.O_EXCL|RS.
Critical
Command Output Exfiltration

Source executes local commands and sends command output to an external endpoint.

dist-bundle/bin/aluy.jsView on unpkg · L132
matchType = previous_version_dangerous_delta matchedPackage = @hiperplano/aluy-cli@1.0.0-rc.98 matchedIdentity = npm:QGhpcGVycGxhbm8vYWx1eS1jbGk:1.0.0-rc.98 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist-bundle/bin/aluy.jsView on unpkg
91L92: `):void 0}function OR(t,e,o,n){let r=uc(t.model);switch(r.kind){case"tier":return o?o(r.key):e;case"custom":return n?n(r.slug):e;default:return e}}var Lp,Pp,bR,_s,vR,kR,SR,ER,AR,CR... L93:
High
Child Process

Package source references child process execution.

dist-bundle/bin/aluy.jsView on unpkg · L91
138${t.trim()}`}}function fM(t,e,o=ad){let{older:n,recent:r}=Jp(t,o);if(n.length===0)return{history:t,stats:{turnsBefore:t.length,turnsAfter:t.length,summarizedTurns:0}};let s=[mM(e,n... L139: `),ad=4,Vp=1500,Xp=.4,Yp=48e3;Hi=class extends Error{constructor(){super("hist\xF3rico curto demais \u2014 nada a compactar."),this.name="NothingToCompactError"}},id=class{model;ke... L140: `;case"t":return" ";case"r":return"\r";case'"':return'"';case"\\":return"\\";default:throw new ye(`config.toml:${e}: escape n\xE3o suportado "\\${i}".`)}})}function g9(t,e,o){let n... ... L143: `)}function I9(t,e){return t.length<=e?t:t.slice(0,e-1).trimEnd()+"\u2026"}var eL=h(()=>{"use strict"});var tL=h(()=>{"use strict";dh();BM();UM();jM();HM();WM();sk();Rf();XM();eL()... L144: `,r;try{r=ez(o,RS.O_CREAT|RS.O_EXCL|RS.O_WRONLY,az),tz(r,n),AL(r),r=void 0,rz(o,this.file)}catch(s){if(r!==void 0)try{AL(r)}catch{}try{sz(o)}catch{}throw s}}}});function PS(t){let ... L145: `}`)}}else process.stderr.write(`${c?"\r":""} baixando ${e}... ${m} MB${c?"":`
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist-bundle/bin/aluy.jsView on unpkg · L138
10${o.join(` L11: `)}`}async function Pq(t,e){if(!e.capabilities)return{ok:!1,observation:"capabilities: indispon\xEDvel nesta sess\xE3o (sem porta de capacidades)."};let o=t.filter,n=typeof o=="str... L12: `).map(s=>s.trim()===""?"":` ${s}`).join(` L13: `);return[`<<<DADO_NAO_CONFIAVEL origem=${o}>>>`,r,"<<<FIM_DADO>>>"].join(` L14: `)}var Jq,Qq,Mb=h(()=>{"use strict";Jq="<<<FIM_DADO>>>",Qq="DADO_NAO_CONFIAVEL>>>"});import{randomBytes as Zq}from"node:crypto";function Pb(t,e){let o=[...t,e];return o.length>Lb?o... L15: ... L25: L26: `)+I}}}]}var Ss,qb,eD,Bf=h(()=>{"use strict";Fb();Wl();Hb();Ss="room_post",qb="room_read",eD=["ask","inform","result","ack"]});function n3(t){let e=t.command;if(typeof e!="string"|... L27: `);let s=o.indexOf(` ... L32: `)){if(r===""||r.startsWith(":"))continue;let s=r.indexOf(":"),i=s===-1?r:r.slice(0,s),a=s===-1?"":r.slice(s+1);a.startsWith(" ")&&(a=a.slice(1)),i==="event"?(e=a,n=!0):i==="data"&... L33: `)}:null}var Jf=h(()=>{"use strict"});function HD(t=globalThis.process?.env??{},e){let o=Zf(t[BD])??Zf(e?.maxConsecutiveLineRepeats),n=Zf(t[UD])??Zf(e?.minCycleSpanChars);return{ma... L34: ${s}`:(r+s).trim()}function K_(t,e){let o=Math.min(t.lengt
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist-bundle/bin/aluy.jsView on unpkg · L10
10${o.join(` L11: `)}`}async function Pq(t,e){if(!e.capabilities)return{ok:!1,observation:"capabilities: indispon\xEDvel nesta sess\xE3o (sem porta de capacidades)."};let o=t.filter,n=typeof o=="str... L12: `).map(s=>s.trim()===""?"":` ${s}`).join(` L13: `);return[`<<<DADO_NAO_CONFIAVEL origem=${o}>>>`,r,"<<<FIM_DADO>>>"].join(` L14: `)}var Jq,Qq,Mb=h(()=>{"use strict";Jq="<<<FIM_DADO>>>",Qq="DADO_NAO_CONFIAVEL>>>"});import{randomBytes as Zq}from"node:crypto";function Pb(t,e){let o=[...t,e];return o.length>Lb?o... L15: ... L25: L26: `)+I}}}]}var Ss,qb,eD,Bf=h(()=>{"use strict";Fb();Wl();Hb();Ss="room_post",qb="room_read",eD=["ask","inform","result","ack"]});function n3(t){let e=t.command;if(typeof e!="string"|... L27: `);let s=o.indexOf(` ... L32: `)){if(r===""||r.startsWith(":"))continue;let s=r.indexOf(":"),i=s===-1?r:r.slice(0,s),a=s===-1?"":r.slice(s+1);a.startsWith(" ")&&(a=a.slice(1)),i==="event"?(e=a,n=!0):i==="data"&... L33: `)}:null}var Jf=h(()=>{"use strict"});function HD(t=globalThis.process?.env??{},e){let o=Zf(t[BD])??Zf(e?.maxConsecutiveLineRepeats),n=Zf(t[UD])??Zf(e?.minCycleSpanChars);return{ma... L34: ${s}`:(r+s).trim()}function K_(t,e){let o=Math.min(t.lengt
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist-bundle/bin/aluy.jsView on unpkg · L10
10Cross-file remote execution chain: dist-bundle/bin/aluy.js spawns dist-bundle/index.js; helper contains network access plus dynamic code execution. L10: ${o.join(` L11: `)}`}async function Pq(t,e){if(!e.capabilities)return{ok:!1,observation:"capabilities: indispon\xEDvel nesta sess\xE3o (sem porta de capacidades)."};let o=t.filter,n=typeof o=="str... L12: `).map(s=>s.trim()===""?"":` ${s}`).join(` L13: `);return[`<<<DADO_NAO_CONFIAVEL origem=${o}>>>`,r,"<<<FIM_DADO>>>"].join(` L14: `)}var Jq,Qq,Mb=h(()=>{"use strict";Jq="<<<FIM_DADO>>>",Qq="DADO_NAO_CONFIAVEL>>>"});import{randomBytes as Zq}from"node:crypto";function Pb(t,e){let o=[...t,e];return o.length>Lb?o... L15: ... L25: L26: `)+I}}}]}var Ss,qb,eD,Bf=h(()=>{"use strict";Fb();Wl();Hb();Ss="room_post",qb="room_read",eD=["ask","inform","result","ack"]});function n3(t){let e=t.command;if(typeof e!="string"|... L27: `);let s=o.indexOf(` ... L32: `)){if(r===""||r.startsWith(":"))continue;let s=r.indexOf(":"),i=s===-1?r:r.slice(0,s),a=s===-1?"":r.slice(s+1);a.startsWith(" ")&&(a=a.slice(1)),i==="event"?(e=a,n=!0):i==="data"&... L33: `)}:null}var Jf=h(()=>{"use strict"});function HD(t=globalThis.process?.env??{},e){let o=Zf(t[BD])…
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist-bundle/bin/aluy.jsView on unpkg · L10
10${o.join(` L11: `)}`}async function Pq(t,e){if(!e.capabilities)return{ok:!1,observation:"capabilities: indispon\xEDvel nesta sess\xE3o (sem porta de capacidades)."};let o=t.filter,n=typeof o=="str... L12: `).map(s=>s.trim()===""?"":` ${s}`).join(` L13: `);return[`<<<DADO_NAO_CONFIAVEL origem=${o}>>>`,r,"<<<FIM_DADO>>>"].join(` L14: `)}var Jq,Qq,Mb=h(()=>{"use strict";Jq="<<<FIM_DADO>>>",Qq="DADO_NAO_CONFIAVEL>>>"});import{randomBytes as Zq}from"node:crypto";function Pb(t,e){let o=[...t,e];return o.length>Lb?o... L15: ... L25: L26: `)+I}}}]}var Ss,qb,eD,Bf=h(()=>{"use strict";Fb();Wl();Hb();Ss="room_post",qb="room_read",eD=["ask","inform","result","ack"]});function n3(t){let e=t.command;if(typeof e!="string"|... L27: `);let s=o.indexOf(` ... L32: `)){if(r===""||r.startsWith(":"))continue;let s=r.indexOf(":"),i=s===-1?r:r.slice(0,s),a=s===-1?"":r.slice(s+1);a.startsWith(" ")&&(a=a.slice(1)),i==="event"?(e=a,n=!0):i==="data"&... L33: `)}:null}var Jf=h(()=>{"use strict"});function HD(t=globalThis.process?.env??{},e){let o=Zf(t[BD])??Zf(e?.maxConsecutiveLineRepeats),n=Zf(t[UD])??Zf(e?.minCycleSpanChars);return{ma... L34: ${s}`:(r+s).trim()}function K_(t,e){let o=Math.min(t.lengt
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist-bundle/bin/aluy.jsView on unpkg · L10
dist-bundle/index.jsView file
428Trigger-reachable chain: manifest.main -> dist-bundle/index.js L428: - Credencial S\xD3 no keychain do SO \u2014 nunca em texto em claro. L429: - Loop de agente + ferramentas nativas + controle de permiss\xE3o integrados.`;function nt(t,e,o={}){let n=`--${e}=`;for(let r=0;r<t.length;r++){let s=t[r];if(s===`--${e}`){let i=t... L430: \u2026[truncado: corpo maior que ${e.maxBytes} bytes]`),m({status:_,body:z,...P?{contentType:P}:{}})}),w.on("close",()=>{if(l)return;let z=Buffer.concat(B).toString("utf8")+($?` ... L432: \u2026[truncado: corpo maior que ${e.maxBytes} bytes]`;m({status:_,body:oe,...P?{contentType:P}:{}});return}d(z)})}),E=()=>{h.destroy(),d(new Error("cancelado"))},k=setTimeout(()=>... L433: ${sn(E)}`}}catch(g){let y=u?`o proxy n\xE3o respondeu em ${m}ms (timeout)`:g instanceof Error?g.message:String(g);return{ok:!1,display:c,observation:`headroom_retrieve: falha ao fa... L434: [arquivo truncado: lidos ${this.maxReadBytes} de ${s} bytes]`:n}async readFileMeta(e){let o=this.workspace.resolveInside(e),{content:n,truncated:r,binary:s}=await Sa(o,this.maxRead...
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist-bundle/index.jsView on unpkg · L428
assets/mem0/aluy-mem0-server.pyView file
path = assets/mem0/aluy-mem0-server.py kind = build_helper sizeBytes = 20729 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

assets/mem0/aluy-mem0-server.pyView on unpkg

Findings

3 Critical5 High6 Medium5 Low
CriticalCommand Output Exfiltrationdist-bundle/bin/aluy.js
CriticalTrigger Reachable Dangerous Capabilitydist-bundle/index.js
CriticalPrevious Version Dangerous Deltadist-bundle/bin/aluy.js
HighChild Processdist-bundle/bin/aluy.js
HighSame File Env Network Executiondist-bundle/bin/aluy.js
HighSandbox Evasion Gated Capabilitydist-bundle/bin/aluy.js
HighCloud Metadata Accessdist-bundle/bin/aluy.js
HighCross File Remote Execution Contextdist-bundle/bin/aluy.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist-bundle/bin/aluy.js
MediumProtestware
MediumShips Build Helperassets/mem0/aluy-mem0-server.py
MediumStructural Risk Force Deep Review
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNo License