registry  /  @hiperplano/aluy-cli  /  1.0.0-rc.102

@hiperplano/aluy-cli@1.0.0-rc.102

Aluy CLI — TUI (Ink) + binário `aluy` + wiring. Consome @hiperplano/aluy-cli-core (engine portável). Credenciais só no keychain do SO.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a user-invoked terminal AI agent that can run commands and contact configured providers, with explicit bootstrap provisioning for optional local components.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `aluy`, grants tool permissions or uses `--yolo`, or explicitly runs `aluy bootstrap`.
Impact
Powerful behavior is package-aligned and user-triggered; installation itself does not execute code or mutate foreign agent controls.
Mechanism
Interactive AI-agent command execution and configured-provider networking.
Rationale
The scanner conflates intentional CLI agent capabilities with exfiltration. Direct inspection found no install-time execution, covert collection, or concrete malicious chain.
Evidence
package.jsondist-bundle/index.jsdist-bundle/bin/aluy.jsassets/mem0/aluy-mem0-server.pyREADME.md

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `dist-bundle/bin/aluy.js` implements user-invoked shell and network tools.
  • `aluy bootstrap` can provision optional local Ollama/Mem0 components after an explicit CLI command.
Evidence against
  • `package.json` contains no preinstall/install/postinstall/prepare lifecycle scripts.
  • `dist-bundle/bin/aluy.js` dispatches bootstrap, uninstall, and session features only from explicit CLI subcommands.
  • Cloud metadata addresses are rejected by an SSRF guard in `dist-bundle/bin/aluy.js`.
  • Provider requests target configured/BYO AI endpoints; no source path sends command output to an unrelated collector.
  • No `eval`, `Function`, VM, native payload, or hidden binary loader was found.
  • `assets/mem0/aluy-mem0-server.py` is a local loopback memory sidecar and persists only its local state.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNativeBindingsNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
Manifest
NoLicense
scanned 2 file(s), 2.00 MB of source, external domains: 127.0.0.1, api.aluy.app, api.anthropic.com, api.deepseek.com, api.groq.com, api.mistral.ai, api.openai.com, api.telegram.org, api.x.ai, auth.openai.com, broker.dev.aluy.example, claude.ai, console.anthropic.com, duckduckgo.com, generativelanguage.googleapis.com, github.com, ollama.com, openrouter.ai, registry.npmjs.org

Source & flagged code

9 flagged · loading source
dist-bundle/bin/aluy.jsView file
132${n.snippet}`.trimEnd());return[`Resultados de busca para "${t}" (DuckDuckGo):`,...o,"","(As URLs acima N\xC3O foram buscadas. Para abrir uma, use web_fetch \u2014 ela passar\xE1 n... L133: `)}var KG,YG,tM,VG,oM,Kp,rM=h(()=>{"use strict";Kr();zp();Bx();KG=8;YG=Object.freeze({type:"object",properties:{url:{type:"string",description:"OBRIGAT\xD3RIO. A URL http(s) a busc... L134: ... L138: ${t.trim()}`}}function fM(t,e,o=ad){let{older:n,recent:r}=Jp(t,o);if(n.length===0)return{history:t,stats:{turnsBefore:t.length,turnsAfter:t.length,summarizedTurns:0}};let s=[mM(e,n... L139: `),ad=4,Vp=1500,Xp=.4,Yp=48e3;Hi=class extends Error{constructor(){super("hist\xF3rico curto demais \u2014 nada a compactar."),this.name="NothingToCompactError"}},id=class{model;ke... L140: `;case"t":return" ";case"r":return"\r";case'"':return'"';case"\\":return"\\";default:throw new ye(`config.toml:${e}: escape n\xE3o suportado "\\${i}".`)}})}function g9(t,e,o){let n... ... L143: `)}function I9(t,e){return t.length<=e?t:t.slice(0,e-1).trimEnd()+"\u2026"}var eL=h(()=>{"use strict"});var tL=h(()=>{"use strict";dh();BM();UM();jM();HM();WM();sk();Rf();XM();eL()... L144: `,r;try{r=ez(o,RS.O_CREAT|RS.O_EXCL|RS.
Critical
Command Output Exfiltration

Source executes local commands and sends command output to an external endpoint.

dist-bundle/bin/aluy.jsView on unpkg · L132
91L92: `):void 0}function OR(t,e,o,n){let r=uc(t.model);switch(r.kind){case"tier":return o?o(r.key):e;case"custom":return n?n(r.slug):e;default:return e}}var Lp,Pp,bR,_s,vR,kR,SR,ER,AR,CR... L93:
High
Child Process

Package source references child process execution.

dist-bundle/bin/aluy.jsView on unpkg · L91
138${t.trim()}`}}function fM(t,e,o=ad){let{older:n,recent:r}=Jp(t,o);if(n.length===0)return{history:t,stats:{turnsBefore:t.length,turnsAfter:t.length,summarizedTurns:0}};let s=[mM(e,n... L139: `),ad=4,Vp=1500,Xp=.4,Yp=48e3;Hi=class extends Error{constructor(){super("hist\xF3rico curto demais \u2014 nada a compactar."),this.name="NothingToCompactError"}},id=class{model;ke... L140: `;case"t":return" ";case"r":return"\r";case'"':return'"';case"\\":return"\\";default:throw new ye(`config.toml:${e}: escape n\xE3o suportado "\\${i}".`)}})}function g9(t,e,o){let n... ... L143: `)}function I9(t,e){return t.length<=e?t:t.slice(0,e-1).trimEnd()+"\u2026"}var eL=h(()=>{"use strict"});var tL=h(()=>{"use strict";dh();BM();UM();jM();HM();WM();sk();Rf();XM();eL()... L144: `,r;try{r=ez(o,RS.O_CREAT|RS.O_EXCL|RS.O_WRONLY,az),tz(r,n),AL(r),r=void 0,rz(o,this.file)}catch(s){if(r!==void 0)try{AL(r)}catch{}try{sz(o)}catch{}throw s}}}});function PS(t){let ... L145: `}`)}}else process.stderr.write(`${c?"\r":""} baixando ${e}... ${m} MB${c?"":`
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist-bundle/bin/aluy.jsView on unpkg · L138
10${o.join(` L11: `)}`}async function Pq(t,e){if(!e.capabilities)return{ok:!1,observation:"capabilities: indispon\xEDvel nesta sess\xE3o (sem porta de capacidades)."};let o=t.filter,n=typeof o=="str... L12: `).map(s=>s.trim()===""?"":` ${s}`).join(` L13: `);return[`<<<DADO_NAO_CONFIAVEL origem=${o}>>>`,r,"<<<FIM_DADO>>>"].join(` L14: `)}var Jq,Qq,Mb=h(()=>{"use strict";Jq="<<<FIM_DADO>>>",Qq="DADO_NAO_CONFIAVEL>>>"});import{randomBytes as Zq}from"node:crypto";function Pb(t,e){let o=[...t,e];return o.length>Lb?o... L15: ... L25: L26: `)+I}}}]}var Ss,qb,eD,Bf=h(()=>{"use strict";Fb();Wl();Hb();Ss="room_post",qb="room_read",eD=["ask","inform","result","ack"]});function n3(t){let e=t.command;if(typeof e!="string"|... L27: `);let s=o.indexOf(` ... L32: `)){if(r===""||r.startsWith(":"))continue;let s=r.indexOf(":"),i=s===-1?r:r.slice(0,s),a=s===-1?"":r.slice(s+1);a.startsWith(" ")&&(a=a.slice(1)),i==="event"?(e=a,n=!0):i==="data"&... L33: `)}:null}var Jf=h(()=>{"use strict"});function HD(t=globalThis.process?.env??{},e){let o=Zf(t[BD])??Zf(e?.maxConsecutiveLineRepeats),n=Zf(t[UD])??Zf(e?.minCycleSpanChars);return{ma... L34: ${s}`:(r+s).trim()}function K_(t,e){let o=Math.min(t.lengt
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist-bundle/bin/aluy.jsView on unpkg · L10
10${o.join(` L11: `)}`}async function Pq(t,e){if(!e.capabilities)return{ok:!1,observation:"capabilities: indispon\xEDvel nesta sess\xE3o (sem porta de capacidades)."};let o=t.filter,n=typeof o=="str... L12: `).map(s=>s.trim()===""?"":` ${s}`).join(` L13: `);return[`<<<DADO_NAO_CONFIAVEL origem=${o}>>>`,r,"<<<FIM_DADO>>>"].join(` L14: `)}var Jq,Qq,Mb=h(()=>{"use strict";Jq="<<<FIM_DADO>>>",Qq="DADO_NAO_CONFIAVEL>>>"});import{randomBytes as Zq}from"node:crypto";function Pb(t,e){let o=[...t,e];return o.length>Lb?o... L15: ... L25: L26: `)+I}}}]}var Ss,qb,eD,Bf=h(()=>{"use strict";Fb();Wl();Hb();Ss="room_post",qb="room_read",eD=["ask","inform","result","ack"]});function n3(t){let e=t.command;if(typeof e!="string"|... L27: `);let s=o.indexOf(` ... L32: `)){if(r===""||r.startsWith(":"))continue;let s=r.indexOf(":"),i=s===-1?r:r.slice(0,s),a=s===-1?"":r.slice(s+1);a.startsWith(" ")&&(a=a.slice(1)),i==="event"?(e=a,n=!0):i==="data"&... L33: `)}:null}var Jf=h(()=>{"use strict"});function HD(t=globalThis.process?.env??{},e){let o=Zf(t[BD])??Zf(e?.maxConsecutiveLineRepeats),n=Zf(t[UD])??Zf(e?.minCycleSpanChars);return{ma... L34: ${s}`:(r+s).trim()}function K_(t,e){let o=Math.min(t.lengt
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist-bundle/bin/aluy.jsView on unpkg · L10
10Cross-file remote execution chain: dist-bundle/bin/aluy.js spawns dist-bundle/index.js; helper contains network access plus dynamic code execution. L10: ${o.join(` L11: `)}`}async function Pq(t,e){if(!e.capabilities)return{ok:!1,observation:"capabilities: indispon\xEDvel nesta sess\xE3o (sem porta de capacidades)."};let o=t.filter,n=typeof o=="str... L12: `).map(s=>s.trim()===""?"":` ${s}`).join(` L13: `);return[`<<<DADO_NAO_CONFIAVEL origem=${o}>>>`,r,"<<<FIM_DADO>>>"].join(` L14: `)}var Jq,Qq,Mb=h(()=>{"use strict";Jq="<<<FIM_DADO>>>",Qq="DADO_NAO_CONFIAVEL>>>"});import{randomBytes as Zq}from"node:crypto";function Pb(t,e){let o=[...t,e];return o.length>Lb?o... L15: ... L25: L26: `)+I}}}]}var Ss,qb,eD,Bf=h(()=>{"use strict";Fb();Wl();Hb();Ss="room_post",qb="room_read",eD=["ask","inform","result","ack"]});function n3(t){let e=t.command;if(typeof e!="string"|... L27: `);let s=o.indexOf(` ... L32: `)){if(r===""||r.startsWith(":"))continue;let s=r.indexOf(":"),i=s===-1?r:r.slice(0,s),a=s===-1?"":r.slice(s+1);a.startsWith(" ")&&(a=a.slice(1)),i==="event"?(e=a,n=!0):i==="data"&... L33: `)}:null}var Jf=h(()=>{"use strict"});function HD(t=globalThis.process?.env??{},e){let o=Zf(t[BD])…
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist-bundle/bin/aluy.jsView on unpkg · L10
10${o.join(` L11: `)}`}async function Pq(t,e){if(!e.capabilities)return{ok:!1,observation:"capabilities: indispon\xEDvel nesta sess\xE3o (sem porta de capacidades)."};let o=t.filter,n=typeof o=="str... L12: `).map(s=>s.trim()===""?"":` ${s}`).join(` L13: `);return[`<<<DADO_NAO_CONFIAVEL origem=${o}>>>`,r,"<<<FIM_DADO>>>"].join(` L14: `)}var Jq,Qq,Mb=h(()=>{"use strict";Jq="<<<FIM_DADO>>>",Qq="DADO_NAO_CONFIAVEL>>>"});import{randomBytes as Zq}from"node:crypto";function Pb(t,e){let o=[...t,e];return o.length>Lb?o... L15: ... L25: L26: `)+I}}}]}var Ss,qb,eD,Bf=h(()=>{"use strict";Fb();Wl();Hb();Ss="room_post",qb="room_read",eD=["ask","inform","result","ack"]});function n3(t){let e=t.command;if(typeof e!="string"|... L27: `);let s=o.indexOf(` ... L32: `)){if(r===""||r.startsWith(":"))continue;let s=r.indexOf(":"),i=s===-1?r:r.slice(0,s),a=s===-1?"":r.slice(s+1);a.startsWith(" ")&&(a=a.slice(1)),i==="event"?(e=a,n=!0):i==="data"&... L33: `)}:null}var Jf=h(()=>{"use strict"});function HD(t=globalThis.process?.env??{},e){let o=Zf(t[BD])??Zf(e?.maxConsecutiveLineRepeats),n=Zf(t[UD])??Zf(e?.minCycleSpanChars);return{ma... L34: ${s}`:(r+s).trim()}function K_(t,e){let o=Math.min(t.lengt
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist-bundle/bin/aluy.jsView on unpkg · L10
dist-bundle/index.jsView file
428Trigger-reachable chain: manifest.main -> dist-bundle/index.js L428: - Credencial S\xD3 no keychain do SO \u2014 nunca em texto em claro. L429: - Loop de agente + ferramentas nativas + controle de permiss\xE3o integrados.`;function nt(t,e,o={}){let n=`--${e}=`;for(let r=0;r<t.length;r++){let s=t[r];if(s===`--${e}`){let i=t... L430: \u2026[truncado: corpo maior que ${e.maxBytes} bytes]`),m({status:_,body:z,...P?{contentType:P}:{}})}),w.on("close",()=>{if(l)return;let z=Buffer.concat(B).toString("utf8")+($?` ... L432: \u2026[truncado: corpo maior que ${e.maxBytes} bytes]`;m({status:_,body:oe,...P?{contentType:P}:{}});return}d(z)})}),E=()=>{h.destroy(),d(new Error("cancelado"))},k=setTimeout(()=>... L433: ${sn(E)}`}}catch(g){let y=u?`o proxy n\xE3o respondeu em ${m}ms (timeout)`:g instanceof Error?g.message:String(g);return{ok:!1,display:c,observation:`headroom_retrieve: falha ao fa... L434: [arquivo truncado: lidos ${this.maxReadBytes} de ${s} bytes]`:n}async readFileMeta(e){let o=this.workspace.resolveInside(e),{content:n,truncated:r,binary:s}=await Sa(o,this.maxRead...
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist-bundle/index.jsView on unpkg · L428
assets/mem0/aluy-mem0-server.pyView file
path = assets/mem0/aluy-mem0-server.py kind = build_helper sizeBytes = 20729 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

assets/mem0/aluy-mem0-server.pyView on unpkg

Findings

2 Critical5 High6 Medium5 Low
CriticalCommand Output Exfiltrationdist-bundle/bin/aluy.js
CriticalTrigger Reachable Dangerous Capabilitydist-bundle/index.js
HighChild Processdist-bundle/bin/aluy.js
HighSame File Env Network Executiondist-bundle/bin/aluy.js
HighSandbox Evasion Gated Capabilitydist-bundle/bin/aluy.js
HighCloud Metadata Accessdist-bundle/bin/aluy.js
HighCross File Remote Execution Contextdist-bundle/bin/aluy.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist-bundle/bin/aluy.js
MediumProtestware
MediumShips Build Helperassets/mem0/aluy-mem0-server.py
MediumStructural Risk Force Deep Review
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNo License