registry  /  @hiperplano/aluy-cli  /  1.0.0-rc.81

@hiperplano/aluy-cli@1.0.0-rc.81

Aluy CLI — TUI (Ink) + binário `aluy` + wiring. Consome @hiperplano/aluy-cli-core (engine portável). Credenciais só no keychain do SO.

AI Security Review

scanned 8d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a user-invoked AI terminal CLI with broad but expected command, file, keychain, and network capabilities guarded by permission logic.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs the aluy CLI or explicit setup/bootstrap/login commands.
Impact
Expected ability to edit workspace files, run approved commands, store config/credentials, and call configured model/broker/local services.
Mechanism
User-invoked AI agent CLI with permission-gated tools and optional local sidecars.
Rationale
Static inspection shows a feature-rich AI agent CLI with expected dangerous primitives, but no lifecycle execution, hidden payload, unconsented credential/file harvesting, or concrete exfiltration path. The high-risk findings are explained by documented user-invoked agent, local sidecar, login, and bootstrap behavior.
Evidence
package.jsonREADME.mddist-bundle/bin/aluy.jsdist-bundle/index.jsassets/mem0/aluy-mem0-server.py~/.aluy/config.json~/.aluy/mcp.json~/.aluy/memory~/.mem0/history.db
Network endpoints5
api.aluy.app/api/v1broker.dev.aluy.example127.0.0.1:11434127.0.0.1:11435127.0.0.1:8787

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist-bundle/bin/aluy.js imports node:child_process and can spawn sidecars and user-approved tool commands.
  • dist-bundle/bin/aluy.js contains network clients for login, broker/model calls, local Ollama/Mem0/headroom, and optional downloads/bootstrap.
  • assets/mem0/aluy-mem0-server.py can reset local memory stores under ~/.aluy/memory and ~/.mem0/history.db on incompatible local state.
Evidence against
  • package.json has no lifecycle scripts; execution is via main/bin only.
  • README.md describes a terminal AI agent that reads/edits files, runs commands, and uses OS keychain credentials, matching observed capabilities.
  • dist-bundle/bin/aluy.js includes permission gating for destructive, network, privilege, package-exec, sensitive-read, and outside-workspace actions.
  • Network endpoints are product/local aligned: api.aluy.app, broker env/default placeholder, and loopback sidecars.
  • Credentials are handled through @napi-rs/keyring and redacted status output; no hardcoded exfil endpoint or credential harvesting flow found.
  • Scanner command-output exfil hint maps to intentional agent/model/tool traffic, not install/import-time unconsented exfiltration.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNativeBindingsNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
Manifest
NoLicense
scanned 2 file(s), 1.90 MB of source, external domains: 127.0.0.1, api.aluy.app, api.anthropic.com, api.deepseek.com, api.groq.com, api.mistral.ai, api.openai.com, api.telegram.org, api.x.ai, auth.openai.com, broker.dev.aluy.example, claude.ai, console.anthropic.com, duckduckgo.com, generativelanguage.googleapis.com, github.com, ollama.com, openrouter.ai, registry.npmjs.org

Source & flagged code

9 flagged · loading source
dist-bundle/bin/aluy.jsView file
129${n.snippet}`.trimEnd());return[`Resultados de busca para "${t}" (DuckDuckGo):`,...o,"","(As URLs acima N\xC3O foram buscadas. Para abrir uma, use web_fetch \u2014 ela passar\xE1 n... L130: `)}var BW,UW,iR,jW,aR,Kf,cR=p(()=>{"use strict";Pr();zf();Dk();BW=8;UW=Object.freeze({type:"object",properties:{url:{type:"string",description:"OBRIGAT\xD3RIO. A URL http(s) a busc... L131: ... L135: ${t.trim()}`}}function bR(t,e,o=hu){let{older:n,recent:r}=Jf(t,o);if(n.length===0)return{history:t,stats:{turnsBefore:t.length,turnsAfter:t.length,summarizedTurns:0}};let s=[yR(e,n... L136: `),hu=4,Vf=1500,Xf=.4,Yf=48e3;Ci=class extends Error{constructor(){super("hist\xF3rico curto demais \u2014 nada a compactar."),this.name="NothingToCompactError"}},pu=class{model;ke... L137: `;case"t":return" ";case"r":return"\r";case'"':return'"';case"\\":return"\\";default:throw new ye(`config.toml:${e}: escape n\xE3o suportado "\\${i}".`)}})}function l6(t,e,o){let n... ... L141: `)}function _6(t,e){return t.length<=e?t:t.slice(0,e-1).trimEnd()+"\u2026"}var cO=p(()=>{"use strict"});var uO=p(()=>{"use strict";dp();WR();GR();zR();KR();VR();ZR();Mm();sO();cO()... L142: `,r;try{r=Y6(o,Sx.O_CREAT|Sx.O_EXCL|Sx.
Critical
Command Output Exfiltration

Source executes local commands and sends command output to an external endpoint.

dist-bundle/bin/aluy.jsView on unpkg · L129
88L89: `):void 0}function NT(t,e,o){if(o===void 0)return e;let n=$v(t.model);return n===void 0?e:o(n)}var RT,OT,MT,vi,qv,LT,PT,qq,Wv,Wc,Gv=p(()=>{"use strict";hv();Bv();Uv();ai();Iv();Ff(... L90:
High
Child Process

Package source references child process execution.

dist-bundle/bin/aluy.jsView on unpkg · L88
135${t.trim()}`}}function bR(t,e,o=hu){let{older:n,recent:r}=Jf(t,o);if(n.length===0)return{history:t,stats:{turnsBefore:t.length,turnsAfter:t.length,summarizedTurns:0}};let s=[yR(e,n... L136: `),hu=4,Vf=1500,Xf=.4,Yf=48e3;Ci=class extends Error{constructor(){super("hist\xF3rico curto demais \u2014 nada a compactar."),this.name="NothingToCompactError"}},pu=class{model;ke... L137: `;case"t":return" ";case"r":return"\r";case'"':return'"';case"\\":return"\\";default:throw new ye(`config.toml:${e}: escape n\xE3o suportado "\\${i}".`)}})}function l6(t,e,o){let n... ... L141: `)}function _6(t,e){return t.length<=e?t:t.slice(0,e-1).trimEnd()+"\u2026"}var cO=p(()=>{"use strict"});var uO=p(()=>{"use strict";dp();WR();GR();zR();KR();VR();ZR();Mm();sO();cO()... L142: `,r;try{r=Y6(o,Sx.O_CREAT|Sx.O_EXCL|Sx.O_WRONLY,tG),V6(r,n),PO(r),r=void 0,Q6(o,this.file)}catch(s){if(r!==void 0)try{PO(r)}catch{}try{Z6(o)}catch{}throw s}}}});function Cx(t){let ... L143: `}`)}}else process.stderr.write(`${l?"\r":""} baixando ${e}... ${m} MB${l?"":`
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist-bundle/bin/aluy.jsView on unpkg · L135
8${n}`,display:o}}case"text":return{ok:!0,observation:`O usu\xE1rio respondeu \xE0 pergunta "${t.question}": L9: ${e.text}`,display:o};case"unavailable":return{ok:!1,observation:`N\xE3o foi poss\xEDvel PERGUNTAR ao usu\xE1rio: ${e.reason}. Isto N\xC3O \xE9 um erro t\xE9cnico nem motivo para r... L10: `).map(s=>s.trim()===""?"":` ${s}`).join(` L11: `);return[`<<<DADO_NAO_CONFIAVEL origem=${o}>>>`,r,"<<<FIM_DADO>>>"].join(` L12: `)}var z8,K8,Cy=p(()=>{"use strict";z8="<<<FIM_DADO>>>",K8="DADO_NAO_CONFIAVEL>>>"});import{randomBytes as Y8}from"node:crypto";function Ty(t,e){let o=[...t,e];return o.length>Dy?o... L13: ... L23: L24: `)+q}}}]}var ds,Ny,DC,jm=p(()=>{"use strict";Oy();Zl();Iy();ds="room_post",Ny="room_read",DC=["ask","inform","result","ack"]});function Hm(t,e,o){for(let n of t.rules)if(n.tool===e... L25: `);let s=o.indexOf(` ... L30: `)){if(r===""||r.startsWith(":"))continue;let s=r.indexOf(":"),i=s===-1?r:r.slice(0,s),a=s===-1?"":r.slice(s+1);a.startsWith(" ")&&(a=a.slice(1)),i==="event"?(e=a,n=!0):i==="data"&... L31: `)}:null}var Zm=p(()=>{"use strict"});function gD(t=globalThis.process?.env??{}){let e=dD(t[fD]),o=dD(t[pD]);return{maxConsecutiveLineRepeats:e!==void 0
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist-bundle/bin/aluy.jsView on unpkg · L8
8${n}`,display:o}}case"text":return{ok:!0,observation:`O usu\xE1rio respondeu \xE0 pergunta "${t.question}": L9: ${e.text}`,display:o};case"unavailable":return{ok:!1,observation:`N\xE3o foi poss\xEDvel PERGUNTAR ao usu\xE1rio: ${e.reason}. Isto N\xC3O \xE9 um erro t\xE9cnico nem motivo para r... L10: `).map(s=>s.trim()===""?"":` ${s}`).join(` L11: `);return[`<<<DADO_NAO_CONFIAVEL origem=${o}>>>`,r,"<<<FIM_DADO>>>"].join(` L12: `)}var z8,K8,Cy=p(()=>{"use strict";z8="<<<FIM_DADO>>>",K8="DADO_NAO_CONFIAVEL>>>"});import{randomBytes as Y8}from"node:crypto";function Ty(t,e){let o=[...t,e];return o.length>Dy?o... L13: ... L23: L24: `)+q}}}]}var ds,Ny,DC,jm=p(()=>{"use strict";Oy();Zl();Iy();ds="room_post",Ny="room_read",DC=["ask","inform","result","ack"]});function Hm(t,e,o){for(let n of t.rules)if(n.tool===e... L25: `);let s=o.indexOf(` ... L30: `)){if(r===""||r.startsWith(":"))continue;let s=r.indexOf(":"),i=s===-1?r:r.slice(0,s),a=s===-1?"":r.slice(s+1);a.startsWith(" ")&&(a=a.slice(1)),i==="event"?(e=a,n=!0):i==="data"&... L31: `)}:null}var Zm=p(()=>{"use strict"});function gD(t=globalThis.process?.env??{}){let e=dD(t[fD]),o=dD(t[pD]);return{maxConsecutiveLineRepeats:e!==void 0
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist-bundle/bin/aluy.jsView on unpkg · L8
8Cross-file remote execution chain: dist-bundle/bin/aluy.js spawns dist-bundle/index.js; helper contains network access plus dynamic code execution. L8: ${n}`,display:o}}case"text":return{ok:!0,observation:`O usu\xE1rio respondeu \xE0 pergunta "${t.question}": L9: ${e.text}`,display:o};case"unavailable":return{ok:!1,observation:`N\xE3o foi poss\xEDvel PERGUNTAR ao usu\xE1rio: ${e.reason}. Isto N\xC3O \xE9 um erro t\xE9cnico nem motivo para r... L10: `).map(s=>s.trim()===""?"":` ${s}`).join(` L11: `);return[`<<<DADO_NAO_CONFIAVEL origem=${o}>>>`,r,"<<<FIM_DADO>>>"].join(` L12: `)}var z8,K8,Cy=p(()=>{"use strict";z8="<<<FIM_DADO>>>",K8="DADO_NAO_CONFIAVEL>>>"});import{randomBytes as Y8}from"node:crypto";function Ty(t,e){let o=[...t,e];return o.length>Dy?o... L13: ... L23: L24: `)+q}}}]}var ds,Ny,DC,jm=p(()=>{"use strict";Oy();Zl();Iy();ds="room_post",Ny="room_read",DC=["ask","inform","result","ack"]});function Hm(t,e,o){for(let n of t.rules)if(n.tool===e... L25: `);let s=o.indexOf(` ... L30: `)){if(r===""||r.startsWith(":"))continue;let s=r.indexOf(":"),i=s===-1?r:r.slice(0,s),a=s===-1?"":r.slice(s+1);a.startsWith(" ")&&(a=a.slice(1)),i==="event"?(e=a,n=!0):i==="data"&... L31: `)}…
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist-bundle/bin/aluy.jsView on unpkg · L8
8${n}`,display:o}}case"text":return{ok:!0,observation:`O usu\xE1rio respondeu \xE0 pergunta "${t.question}": L9: ${e.text}`,display:o};case"unavailable":return{ok:!1,observation:`N\xE3o foi poss\xEDvel PERGUNTAR ao usu\xE1rio: ${e.reason}. Isto N\xC3O \xE9 um erro t\xE9cnico nem motivo para r... L10: `).map(s=>s.trim()===""?"":` ${s}`).join(` L11: `);return[`<<<DADO_NAO_CONFIAVEL origem=${o}>>>`,r,"<<<FIM_DADO>>>"].join(` L12: `)}var z8,K8,Cy=p(()=>{"use strict";z8="<<<FIM_DADO>>>",K8="DADO_NAO_CONFIAVEL>>>"});import{randomBytes as Y8}from"node:crypto";function Ty(t,e){let o=[...t,e];return o.length>Dy?o... L13: ... L23: L24: `)+q}}}]}var ds,Ny,DC,jm=p(()=>{"use strict";Oy();Zl();Iy();ds="room_post",Ny="room_read",DC=["ask","inform","result","ack"]});function Hm(t,e,o){for(let n of t.rules)if(n.tool===e... L25: `);let s=o.indexOf(` ... L30: `)){if(r===""||r.startsWith(":"))continue;let s=r.indexOf(":"),i=s===-1?r:r.slice(0,s),a=s===-1?"":r.slice(s+1);a.startsWith(" ")&&(a=a.slice(1)),i==="event"?(e=a,n=!0):i==="data"&... L31: `)}:null}var Zm=p(()=>{"use strict"});function gD(t=globalThis.process?.env??{}){let e=dD(t[fD]),o=dD(t[pD]);return{maxConsecutiveLineRepeats:e!==void 0
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist-bundle/bin/aluy.jsView on unpkg · L8
dist-bundle/index.jsView file
426Trigger-reachable chain: manifest.main -> dist-bundle/index.js L426: - Credencial S\xD3 no keychain do SO \u2014 nunca em texto em claro. L427: - Loop de agente + ferramentas nativas + controle de permiss\xE3o integrados.`;function Ve(t,e,o={}){let n=`--${e}=`;for(let r=0;r<t.length;r++){let s=t[r];if(s===`--${e}`){let i=t... L428: \u2026[truncado: corpo maior que ${e.maxBytes} bytes]`),f({status:O,body:Y,...j?{contentType:j}:{}})}),D.on("close",()=>{if(c)return;let Y=Buffer.concat(P).toString("utf8")+(W?` ... L430: \u2026[truncado: corpo maior que ${e.maxBytes} bytes]`;f({status:O,body:ne,...j?{contentType:j}:{}});return}d(Y)})}),E=()=>{g.destroy(),d(new Error("cancelado"))},w=setTimeout(()=>... L431: ${Zo(E)}`}}catch(h){let y=u?`o proxy n\xE3o respondeu em ${f}ms (timeout)`:h instanceof Error?h.message:String(h);return{ok:!1,display:l,observation:`headroom_retrieve: falha ao fa... L432: [arquivo truncado: lidos ${this.maxReadBytes} de ${s} bytes]`:n}async readFileMeta(e){let o=this.workspace.resolveInside(e),{content:n,truncated:r,binary:s}=await Yi(o,this.maxRead...
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist-bundle/index.jsView on unpkg · L426
assets/mem0/aluy-mem0-server.pyView file
path = assets/mem0/aluy-mem0-server.py kind = build_helper sizeBytes = 20729 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

assets/mem0/aluy-mem0-server.pyView on unpkg

Findings

2 Critical5 High6 Medium5 Low
CriticalCommand Output Exfiltrationdist-bundle/bin/aluy.js
CriticalTrigger Reachable Dangerous Capabilitydist-bundle/index.js
HighChild Processdist-bundle/bin/aluy.js
HighSame File Env Network Executiondist-bundle/bin/aluy.js
HighSandbox Evasion Gated Capabilitydist-bundle/bin/aluy.js
HighCloud Metadata Accessdist-bundle/bin/aluy.js
HighCross File Remote Execution Contextdist-bundle/bin/aluy.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist-bundle/bin/aluy.js
MediumProtestware
MediumShips Build Helperassets/mem0/aluy-mem0-server.py
MediumStructural Risk Force Deep Review
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNo License