registry  /  @hiperplano/aluy-cli  /  1.0.0-rc.82

@hiperplano/aluy-cli@1.0.0-rc.82

Aluy CLI — TUI (Ink) + binário `aluy` + wiring. Consome @hiperplano/aluy-cli-core (engine portável). Credenciais só no keychain do SO.

AI Security Review

scanned 8d ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The package is an AI CLI whose runtime can execute commands, edit files, call network services, and manage local sidecars after the user runs aluy.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User installs and runs the aluy CLI or invokes commands such as init, login, doctor, bootstrap, or an agent session.
Impact
Expected runtime may modify project files and ~/.aluy state and send prompts/results to configured broker/model endpoints, but no covert install-time execution or unconsented exfiltration was found.
Mechanism
user-invoked AI CLI with permission-gated tools and local sidecars
Rationale
Static source inspection shows a high-capability AI CLI, but the risky command, file, network, MCP, and sidecar behavior is user-invoked and package-aligned rather than install-time or covert. Scanner claims of command-output exfiltration/cloud metadata were not confirmed in source inspection.
Evidence
package.jsondist-bundle/bin/aluy.jsdist-bundle/index.jsassets/mem0/aluy-mem0-server.pyREADME.md~/.aluy/audit.jsonl~/.aluy/memory~/.mem0/history.db.aluy/agents/exemplo.md.aluy/workflows/exemplo.md.aluy/commands/exemplo.md
Network endpoints5
raw.githubusercontent.com/hiperplano/aluy-cli/main/docs/aluy-wordmark.pngraw.githubusercontent.com/hiperplano/aluy-cli/main/docs/aluy-wordmark-white.png127.0.0.1:11434127.0.0.1:11435broker.dev.aluy.example

Decision evidence

public snapshot
AI called this Clean at 78.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist-bundle/bin/aluy.js defines AI-agent tools for shell execution, file read/write/edit, network fetch/search, MCP, and local sidecar spawning.
  • dist-bundle/bin/aluy.js can create .aluy/agents, .aluy/workflows, .aluy/commands via user-invoked init and writes ~/.aluy/audit.jsonl.
  • assets/mem0/aluy-mem0-server.py can reset/move ~/.aluy/memory and ~/.mem0/history.db when local mem0/chromadb stores are incompatible.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle scripts; activation is main/bin runtime only.
  • Dangerous primitives are presented as explicit AI CLI features with permission checks for destructive, network, sensitive-read, outside-workspace, and startup/config actions.
  • Network use is package-aligned: broker/model calls, local loopback sidecars, Telegram command support, README images; no cloud metadata endpoint or covert hardcoded exfil host found.
  • Secrets are stored through OS keychain/PAT login paths and README states credentials stay in OS keychain; no broad env/file harvesting loop found.
  • Sidecar spawning requires existing absolute binaries under ~/.aluy paths, refuses uid 0, checks loopback health, and logs to ~/.aluy/logs.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNativeBindingsNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
Manifest
NoLicense
scanned 2 file(s), 1.90 MB of source, external domains: 127.0.0.1, api.aluy.app, api.anthropic.com, api.deepseek.com, api.groq.com, api.mistral.ai, api.openai.com, api.telegram.org, api.x.ai, auth.openai.com, broker.dev.aluy.example, claude.ai, console.anthropic.com, duckduckgo.com, generativelanguage.googleapis.com, github.com, ollama.com, openrouter.ai, registry.npmjs.org

Source & flagged code

9 flagged · loading source
dist-bundle/bin/aluy.jsView file
129${n.snippet}`.trimEnd());return[`Resultados de busca para "${t}" (DuckDuckGo):`,...o,"","(As URLs acima N\xC3O foram buscadas. Para abrir uma, use web_fetch \u2014 ela passar\xE1 n... L130: `)}var BW,UW,iR,jW,aR,Kf,cR=p(()=>{"use strict";Pr();zf();Dk();BW=8;UW=Object.freeze({type:"object",properties:{url:{type:"string",description:"OBRIGAT\xD3RIO. A URL http(s) a busc... L131: ... L135: ${t.trim()}`}}function bR(t,e,o=hu){let{older:n,recent:r}=Jf(t,o);if(n.length===0)return{history:t,stats:{turnsBefore:t.length,turnsAfter:t.length,summarizedTurns:0}};let s=[yR(e,n... L136: `),hu=4,Vf=1500,Xf=.4,Yf=48e3;Ci=class extends Error{constructor(){super("hist\xF3rico curto demais \u2014 nada a compactar."),this.name="NothingToCompactError"}},pu=class{model;ke... L137: `;case"t":return" ";case"r":return"\r";case'"':return'"';case"\\":return"\\";default:throw new ye(`config.toml:${e}: escape n\xE3o suportado "\\${i}".`)}})}function l6(t,e,o){let n... ... L141: `)}function _6(t,e){return t.length<=e?t:t.slice(0,e-1).trimEnd()+"\u2026"}var cO=p(()=>{"use strict"});var uO=p(()=>{"use strict";dp();WR();GR();zR();KR();VR();ZR();Mm();sO();cO()... L142: `,r;try{r=Y6(o,Sx.O_CREAT|Sx.O_EXCL|Sx.
Critical
Command Output Exfiltration

Source executes local commands and sends command output to an external endpoint.

dist-bundle/bin/aluy.jsView on unpkg · L129
88L89: `):void 0}function NT(t,e,o){if(o===void 0)return e;let n=$v(t.model);return n===void 0?e:o(n)}var RT,OT,MT,vi,qv,LT,PT,qq,Wv,Wc,Gv=p(()=>{"use strict";hv();Bv();Uv();ai();Iv();Ff(... L90:
High
Child Process

Package source references child process execution.

dist-bundle/bin/aluy.jsView on unpkg · L88
135${t.trim()}`}}function bR(t,e,o=hu){let{older:n,recent:r}=Jf(t,o);if(n.length===0)return{history:t,stats:{turnsBefore:t.length,turnsAfter:t.length,summarizedTurns:0}};let s=[yR(e,n... L136: `),hu=4,Vf=1500,Xf=.4,Yf=48e3;Ci=class extends Error{constructor(){super("hist\xF3rico curto demais \u2014 nada a compactar."),this.name="NothingToCompactError"}},pu=class{model;ke... L137: `;case"t":return" ";case"r":return"\r";case'"':return'"';case"\\":return"\\";default:throw new ye(`config.toml:${e}: escape n\xE3o suportado "\\${i}".`)}})}function l6(t,e,o){let n... ... L141: `)}function _6(t,e){return t.length<=e?t:t.slice(0,e-1).trimEnd()+"\u2026"}var cO=p(()=>{"use strict"});var uO=p(()=>{"use strict";dp();WR();GR();zR();KR();VR();ZR();Mm();sO();cO()... L142: `,r;try{r=Y6(o,Sx.O_CREAT|Sx.O_EXCL|Sx.O_WRONLY,tG),V6(r,n),PO(r),r=void 0,Q6(o,this.file)}catch(s){if(r!==void 0)try{PO(r)}catch{}try{Z6(o)}catch{}throw s}}}});function Cx(t){let ... L143: `}`)}}else process.stderr.write(`${l?"\r":""} baixando ${e}... ${m} MB${l?"":`
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist-bundle/bin/aluy.jsView on unpkg · L135
8${n}`,display:o}}case"text":return{ok:!0,observation:`O usu\xE1rio respondeu \xE0 pergunta "${t.question}": L9: ${e.text}`,display:o};case"unavailable":return{ok:!1,observation:`N\xE3o foi poss\xEDvel PERGUNTAR ao usu\xE1rio: ${e.reason}. Isto N\xC3O \xE9 um erro t\xE9cnico nem motivo para r... L10: `).map(s=>s.trim()===""?"":` ${s}`).join(` L11: `);return[`<<<DADO_NAO_CONFIAVEL origem=${o}>>>`,r,"<<<FIM_DADO>>>"].join(` L12: `)}var z8,K8,Cy=p(()=>{"use strict";z8="<<<FIM_DADO>>>",K8="DADO_NAO_CONFIAVEL>>>"});import{randomBytes as Y8}from"node:crypto";function Ty(t,e){let o=[...t,e];return o.length>Dy?o... L13: ... L23: L24: `)+q}}}]}var ds,Ny,DC,jm=p(()=>{"use strict";Oy();Zl();Iy();ds="room_post",Ny="room_read",DC=["ask","inform","result","ack"]});function Hm(t,e,o){for(let n of t.rules)if(n.tool===e... L25: `);let s=o.indexOf(` ... L30: `)){if(r===""||r.startsWith(":"))continue;let s=r.indexOf(":"),i=s===-1?r:r.slice(0,s),a=s===-1?"":r.slice(s+1);a.startsWith(" ")&&(a=a.slice(1)),i==="event"?(e=a,n=!0):i==="data"&... L31: `)}:null}var Zm=p(()=>{"use strict"});function gD(t=globalThis.process?.env??{}){let e=dD(t[fD]),o=dD(t[pD]);return{maxConsecutiveLineRepeats:e!==void 0
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist-bundle/bin/aluy.jsView on unpkg · L8
8${n}`,display:o}}case"text":return{ok:!0,observation:`O usu\xE1rio respondeu \xE0 pergunta "${t.question}": L9: ${e.text}`,display:o};case"unavailable":return{ok:!1,observation:`N\xE3o foi poss\xEDvel PERGUNTAR ao usu\xE1rio: ${e.reason}. Isto N\xC3O \xE9 um erro t\xE9cnico nem motivo para r... L10: `).map(s=>s.trim()===""?"":` ${s}`).join(` L11: `);return[`<<<DADO_NAO_CONFIAVEL origem=${o}>>>`,r,"<<<FIM_DADO>>>"].join(` L12: `)}var z8,K8,Cy=p(()=>{"use strict";z8="<<<FIM_DADO>>>",K8="DADO_NAO_CONFIAVEL>>>"});import{randomBytes as Y8}from"node:crypto";function Ty(t,e){let o=[...t,e];return o.length>Dy?o... L13: ... L23: L24: `)+q}}}]}var ds,Ny,DC,jm=p(()=>{"use strict";Oy();Zl();Iy();ds="room_post",Ny="room_read",DC=["ask","inform","result","ack"]});function Hm(t,e,o){for(let n of t.rules)if(n.tool===e... L25: `);let s=o.indexOf(` ... L30: `)){if(r===""||r.startsWith(":"))continue;let s=r.indexOf(":"),i=s===-1?r:r.slice(0,s),a=s===-1?"":r.slice(s+1);a.startsWith(" ")&&(a=a.slice(1)),i==="event"?(e=a,n=!0):i==="data"&... L31: `)}:null}var Zm=p(()=>{"use strict"});function gD(t=globalThis.process?.env??{}){let e=dD(t[fD]),o=dD(t[pD]);return{maxConsecutiveLineRepeats:e!==void 0
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist-bundle/bin/aluy.jsView on unpkg · L8
8Cross-file remote execution chain: dist-bundle/bin/aluy.js spawns dist-bundle/index.js; helper contains network access plus dynamic code execution. L8: ${n}`,display:o}}case"text":return{ok:!0,observation:`O usu\xE1rio respondeu \xE0 pergunta "${t.question}": L9: ${e.text}`,display:o};case"unavailable":return{ok:!1,observation:`N\xE3o foi poss\xEDvel PERGUNTAR ao usu\xE1rio: ${e.reason}. Isto N\xC3O \xE9 um erro t\xE9cnico nem motivo para r... L10: `).map(s=>s.trim()===""?"":` ${s}`).join(` L11: `);return[`<<<DADO_NAO_CONFIAVEL origem=${o}>>>`,r,"<<<FIM_DADO>>>"].join(` L12: `)}var z8,K8,Cy=p(()=>{"use strict";z8="<<<FIM_DADO>>>",K8="DADO_NAO_CONFIAVEL>>>"});import{randomBytes as Y8}from"node:crypto";function Ty(t,e){let o=[...t,e];return o.length>Dy?o... L13: ... L23: L24: `)+q}}}]}var ds,Ny,DC,jm=p(()=>{"use strict";Oy();Zl();Iy();ds="room_post",Ny="room_read",DC=["ask","inform","result","ack"]});function Hm(t,e,o){for(let n of t.rules)if(n.tool===e... L25: `);let s=o.indexOf(` ... L30: `)){if(r===""||r.startsWith(":"))continue;let s=r.indexOf(":"),i=s===-1?r:r.slice(0,s),a=s===-1?"":r.slice(s+1);a.startsWith(" ")&&(a=a.slice(1)),i==="event"?(e=a,n=!0):i==="data"&... L31: `)}…
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist-bundle/bin/aluy.jsView on unpkg · L8
8${n}`,display:o}}case"text":return{ok:!0,observation:`O usu\xE1rio respondeu \xE0 pergunta "${t.question}": L9: ${e.text}`,display:o};case"unavailable":return{ok:!1,observation:`N\xE3o foi poss\xEDvel PERGUNTAR ao usu\xE1rio: ${e.reason}. Isto N\xC3O \xE9 um erro t\xE9cnico nem motivo para r... L10: `).map(s=>s.trim()===""?"":` ${s}`).join(` L11: `);return[`<<<DADO_NAO_CONFIAVEL origem=${o}>>>`,r,"<<<FIM_DADO>>>"].join(` L12: `)}var z8,K8,Cy=p(()=>{"use strict";z8="<<<FIM_DADO>>>",K8="DADO_NAO_CONFIAVEL>>>"});import{randomBytes as Y8}from"node:crypto";function Ty(t,e){let o=[...t,e];return o.length>Dy?o... L13: ... L23: L24: `)+q}}}]}var ds,Ny,DC,jm=p(()=>{"use strict";Oy();Zl();Iy();ds="room_post",Ny="room_read",DC=["ask","inform","result","ack"]});function Hm(t,e,o){for(let n of t.rules)if(n.tool===e... L25: `);let s=o.indexOf(` ... L30: `)){if(r===""||r.startsWith(":"))continue;let s=r.indexOf(":"),i=s===-1?r:r.slice(0,s),a=s===-1?"":r.slice(s+1);a.startsWith(" ")&&(a=a.slice(1)),i==="event"?(e=a,n=!0):i==="data"&... L31: `)}:null}var Zm=p(()=>{"use strict"});function gD(t=globalThis.process?.env??{}){let e=dD(t[fD]),o=dD(t[pD]);return{maxConsecutiveLineRepeats:e!==void 0
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist-bundle/bin/aluy.jsView on unpkg · L8
dist-bundle/index.jsView file
426Trigger-reachable chain: manifest.main -> dist-bundle/index.js L426: - Credencial S\xD3 no keychain do SO \u2014 nunca em texto em claro. L427: - Loop de agente + ferramentas nativas + controle de permiss\xE3o integrados.`;function Ve(t,e,o={}){let n=`--${e}=`;for(let r=0;r<t.length;r++){let s=t[r];if(s===`--${e}`){let i=t... L428: \u2026[truncado: corpo maior que ${e.maxBytes} bytes]`),f({status:O,body:Y,...j?{contentType:j}:{}})}),D.on("close",()=>{if(c)return;let Y=Buffer.concat(P).toString("utf8")+(W?` ... L430: \u2026[truncado: corpo maior que ${e.maxBytes} bytes]`;f({status:O,body:ne,...j?{contentType:j}:{}});return}d(Y)})}),E=()=>{g.destroy(),d(new Error("cancelado"))},w=setTimeout(()=>... L431: ${Zo(E)}`}}catch(h){let y=u?`o proxy n\xE3o respondeu em ${f}ms (timeout)`:h instanceof Error?h.message:String(h);return{ok:!1,display:l,observation:`headroom_retrieve: falha ao fa... L432: [arquivo truncado: lidos ${this.maxReadBytes} de ${s} bytes]`:n}async readFileMeta(e){let o=this.workspace.resolveInside(e),{content:n,truncated:r,binary:s}=await Yi(o,this.maxRead...
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist-bundle/index.jsView on unpkg · L426
assets/mem0/aluy-mem0-server.pyView file
path = assets/mem0/aluy-mem0-server.py kind = build_helper sizeBytes = 20729 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

assets/mem0/aluy-mem0-server.pyView on unpkg

Findings

2 Critical5 High6 Medium5 Low
CriticalCommand Output Exfiltrationdist-bundle/bin/aluy.js
CriticalTrigger Reachable Dangerous Capabilitydist-bundle/index.js
HighChild Processdist-bundle/bin/aluy.js
HighSame File Env Network Executiondist-bundle/bin/aluy.js
HighSandbox Evasion Gated Capabilitydist-bundle/bin/aluy.js
HighCloud Metadata Accessdist-bundle/bin/aluy.js
HighCross File Remote Execution Contextdist-bundle/bin/aluy.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist-bundle/bin/aluy.js
MediumProtestware
MediumShips Build Helperassets/mem0/aluy-mem0-server.py
MediumStructural Risk Force Deep Review
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNo License