registry  /  @hiperplano/aluy-cli  /  1.0.0-rc.93

@hiperplano/aluy-cli@1.0.0-rc.93

Aluy CLI — TUI (Ink) + binário `aluy` + wiring. Consome @hiperplano/aluy-cli-core (engine portável). Credenciais só no keychain do SO.

AI Security Review

scanned 7d ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Running the aluy CLI or explicit subcommands such as onboard/bootstrap/launch/telegram.
Impact
Could modify files, execute commands, and communicate with configured services during agent sessions, especially in --yolo mode.
Mechanism
user-invoked local agent automation with configurable network providers and sidecars
Policy narrative
No malicious install/import-time path was confirmed. The package exposes an agent runtime that can run commands, edit files, connect MCP servers, poll Telegram, and spawn local sidecars after the user runs the CLI or setup commands; those capabilities are high-risk but documented and aligned with the package purpose.
Rationale
Static source inspection supports a warning for dangerous agent capabilities, not a publish block: there are no lifecycle hooks and no confirmed covert credential theft, exfiltration, or unconsented foreign AI-agent control-surface mutation. The scanner's command-output exfiltration and metadata hints map to normal agent/network/provider code and loopback sidecar checks rather than a concrete attack flow.
Evidence
package.jsonREADME.mddist-bundle/bin/aluy.jsdist-bundle/index.jsassets/mem0/aluy-mem0-server.py~/.aluy/~/.aluy/mcp.json.mcp.json~/.codex/config.tomlALUY.md.aluy/~/.aluy/logs~/.aluy/memory
Network endpoints3
api.telegram.org127.0.0.1:11434127.0.0.1:11435

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist-bundle/bin/aluy.js implements an AI agent CLI that can edit files, run commands, use MCP tools, and has a --yolo/unsafe mode.
  • dist-bundle/bin/aluy.js can spawn detached first-party sidecars from ~/.aluy paths and write logs under ~/.aluy/logs when the CLI launches.
  • dist-bundle/bin/aluy.js includes Telegram long-poll support against api.telegram.org when configured.
  • README.md documents user-invoked setup of ~/.aluy, .aluy, .mcp.json, and optional turbo sidecars.
Evidence against
  • package.json has no npm lifecycle scripts; behavior is not install-time triggered.
  • Entrypoints are main dist-bundle/index.js and bin dist-bundle/bin/aluy.js; risky actions are CLI/user-command driven.
  • No confirmed credential harvesting or arbitrary exfiltration path found; credentials are described/stored via OS keychain or env for configured providers.
  • Network use is package-aligned: configured LLM/broker/MCP/Telegram integrations and loopback sidecars.
  • Agent config writes are primarily first-party ~/.aluy/.aluy or explicit project files, not unconsented foreign agent control-surface mutation.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNativeBindingsNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
Manifest
NoLicense
scanned 2 file(s), 1.92 MB of source, external domains: 127.0.0.1, api.aluy.app, api.anthropic.com, api.deepseek.com, api.groq.com, api.mistral.ai, api.openai.com, api.telegram.org, api.x.ai, auth.openai.com, broker.dev.aluy.example, claude.ai, console.anthropic.com, duckduckgo.com, generativelanguage.googleapis.com, github.com, ollama.com, openrouter.ai, registry.npmjs.org

Source & flagged code

9 flagged · loading source
dist-bundle/bin/aluy.jsView file
129${n.snippet}`.trimEnd());return[`Resultados de busca para "${t}" (DuckDuckGo):`,...o,"","(As URLs acima N\xC3O foram buscadas. Para abrir uma, use web_fetch \u2014 ela passar\xE1 n... L130: `)}var m6,f6,ER,p6,AR,sp,TR=p(()=>{"use strict";Nr();rp();Lk();m6=8;f6=Object.freeze({type:"object",properties:{url:{type:"string",description:"OBRIGAT\xD3RIO. A URL http(s) a busc... L131: ... L135: ${t.trim()}`}}function IR(t,e,o=wu){let{older:n,recent:r}=cp(t,o);if(n.length===0)return{history:t,stats:{turnsBefore:t.length,turnsAfter:t.length,summarizedTurns:0}};let s=[FR(e,n... L136: `),wu=4,ap=1500,lp=.4,ip=48e3;Ri=class extends Error{constructor(){super("hist\xF3rico curto demais \u2014 nada a compactar."),this.name="NothingToCompactError"}},Su=class{model;ke... L137: `;case"t":return" ";case"r":return"\r";case'"':return'"';case"\\":return"\\";default:throw new be(`config.toml:${e}: escape n\xE3o suportado "\\${i}".`)}})}function F6(t,e,o){let n... ... L141: `)}function oG(t,e){return t.length<=e?t:t.slice(0,e-1).trimEnd()+"\u2026"}var TO=p(()=>{"use strict"});var DO=p(()=>{"use strict";wp();lO();cO();uO();dO();fO();yO();Wm();wO();TO()... L142: `,r;try{r=xG(o,Dx.O_CREAT|Dx.O_EXCL|Dx.
Critical
Command Output Exfiltration

Source executes local commands and sends command output to an external endpoint.

dist-bundle/bin/aluy.jsView on unpkg · L129
88L89: `):void 0}function t_(t,e,o){if(o===void 0)return e;let n=Wv(t.model);return n===void 0?e:o(n)}var Y0,V0,X0,wi,Vv,J0,Q0,gW,Xv,Qc,Jv=p(()=>{"use strict";xv();Gv();zv();di();Hv();Kf(... L90:
High
Child Process

Package source references child process execution.

dist-bundle/bin/aluy.jsView on unpkg · L88
135${t.trim()}`}}function IR(t,e,o=wu){let{older:n,recent:r}=cp(t,o);if(n.length===0)return{history:t,stats:{turnsBefore:t.length,turnsAfter:t.length,summarizedTurns:0}};let s=[FR(e,n... L136: `),wu=4,ap=1500,lp=.4,ip=48e3;Ri=class extends Error{constructor(){super("hist\xF3rico curto demais \u2014 nada a compactar."),this.name="NothingToCompactError"}},Su=class{model;ke... L137: `;case"t":return" ";case"r":return"\r";case'"':return'"';case"\\":return"\\";default:throw new be(`config.toml:${e}: escape n\xE3o suportado "\\${i}".`)}})}function F6(t,e,o){let n... ... L141: `)}function oG(t,e){return t.length<=e?t:t.slice(0,e-1).trimEnd()+"\u2026"}var TO=p(()=>{"use strict"});var DO=p(()=>{"use strict";wp();lO();cO();uO();dO();fO();yO();Wm();wO();TO()... L142: `,r;try{r=xG(o,Dx.O_CREAT|Dx.O_EXCL|Dx.O_WRONLY,DG),SG(r,n),QO(r),r=void 0,AG(o,this.file)}catch(s){if(r!==void 0)try{QO(r)}catch{}try{CG(o)}catch{}throw s}}}});function Mx(t){let ... L143: `}`)}}else process.stderr.write(`${l?"\r":""} baixando ${e}... ${m} MB${l?"":`
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist-bundle/bin/aluy.jsView on unpkg · L135
8${n}`,display:o}}case"text":return{ok:!0,observation:`O usu\xE1rio respondeu \xE0 pergunta "${t.question}": L9: ${e.text}`,display:o};case"unavailable":return{ok:!1,observation:`N\xE3o foi poss\xEDvel PERGUNTAR ao usu\xE1rio: ${e.reason}. Isto N\xC3O \xE9 um erro t\xE9cnico nem motivo para r... L10: `).map(s=>s.trim()===""?"":` ${s}`).join(` L11: `);return[`<<<DADO_NAO_CONFIAVEL origem=${o}>>>`,r,"<<<FIM_DADO>>>"].join(` L12: `)}var bH,vH,My=p(()=>{"use strict";bH="<<<FIM_DADO>>>",vH="DADO_NAO_CONFIAVEL>>>"});import{randomBytes as kH}from"node:crypto";function Py(t,e){let o=[...t,e];return o.length>Ly?o... L13: ... L23: L24: `)+G}}}]}var gs,qy,qC,Zm=p(()=>{"use strict";Ny();ic();Hy();gs="room_post",qy="room_read",qC=["ask","inform","result","ack"]});function ef(t,e,o){for(let n of t.rules)if(n.tool===e... L25: `);let s=o.indexOf(` ... L30: `)){if(r===""||r.startsWith(":"))continue;let s=r.indexOf(":"),i=s===-1?r:r.slice(0,s),a=s===-1?"":r.slice(s+1);a.startsWith(" ")&&(a=a.slice(1)),i==="event"?(e=a,n=!0):i==="data"&... L31: `)}:null}var mf=p(()=>{"use strict"});function MT(t=globalThis.process?.env??{}){let e=TT(t[_T]),o=TT(t[RT]);return{maxConsecutiveLineRepeats:e!==void 0
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist-bundle/bin/aluy.jsView on unpkg · L8
8${n}`,display:o}}case"text":return{ok:!0,observation:`O usu\xE1rio respondeu \xE0 pergunta "${t.question}": L9: ${e.text}`,display:o};case"unavailable":return{ok:!1,observation:`N\xE3o foi poss\xEDvel PERGUNTAR ao usu\xE1rio: ${e.reason}. Isto N\xC3O \xE9 um erro t\xE9cnico nem motivo para r... L10: `).map(s=>s.trim()===""?"":` ${s}`).join(` L11: `);return[`<<<DADO_NAO_CONFIAVEL origem=${o}>>>`,r,"<<<FIM_DADO>>>"].join(` L12: `)}var bH,vH,My=p(()=>{"use strict";bH="<<<FIM_DADO>>>",vH="DADO_NAO_CONFIAVEL>>>"});import{randomBytes as kH}from"node:crypto";function Py(t,e){let o=[...t,e];return o.length>Ly?o... L13: ... L23: L24: `)+G}}}]}var gs,qy,qC,Zm=p(()=>{"use strict";Ny();ic();Hy();gs="room_post",qy="room_read",qC=["ask","inform","result","ack"]});function ef(t,e,o){for(let n of t.rules)if(n.tool===e... L25: `);let s=o.indexOf(` ... L30: `)){if(r===""||r.startsWith(":"))continue;let s=r.indexOf(":"),i=s===-1?r:r.slice(0,s),a=s===-1?"":r.slice(s+1);a.startsWith(" ")&&(a=a.slice(1)),i==="event"?(e=a,n=!0):i==="data"&... L31: `)}:null}var mf=p(()=>{"use strict"});function MT(t=globalThis.process?.env??{}){let e=TT(t[_T]),o=TT(t[RT]);return{maxConsecutiveLineRepeats:e!==void 0
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist-bundle/bin/aluy.jsView on unpkg · L8
8Cross-file remote execution chain: dist-bundle/bin/aluy.js spawns dist-bundle/index.js; helper contains network access plus dynamic code execution. L8: ${n}`,display:o}}case"text":return{ok:!0,observation:`O usu\xE1rio respondeu \xE0 pergunta "${t.question}": L9: ${e.text}`,display:o};case"unavailable":return{ok:!1,observation:`N\xE3o foi poss\xEDvel PERGUNTAR ao usu\xE1rio: ${e.reason}. Isto N\xC3O \xE9 um erro t\xE9cnico nem motivo para r... L10: `).map(s=>s.trim()===""?"":` ${s}`).join(` L11: `);return[`<<<DADO_NAO_CONFIAVEL origem=${o}>>>`,r,"<<<FIM_DADO>>>"].join(` L12: `)}var bH,vH,My=p(()=>{"use strict";bH="<<<FIM_DADO>>>",vH="DADO_NAO_CONFIAVEL>>>"});import{randomBytes as kH}from"node:crypto";function Py(t,e){let o=[...t,e];return o.length>Ly?o... L13: ... L23: L24: `)+G}}}]}var gs,qy,qC,Zm=p(()=>{"use strict";Ny();ic();Hy();gs="room_post",qy="room_read",qC=["ask","inform","result","ack"]});function ef(t,e,o){for(let n of t.rules)if(n.tool===e... L25: `);let s=o.indexOf(` ... L30: `)){if(r===""||r.startsWith(":"))continue;let s=r.indexOf(":"),i=s===-1?r:r.slice(0,s),a=s===-1?"":r.slice(s+1);a.startsWith(" ")&&(a=a.slice(1)),i==="event"?(e=a,n=!0):i==="data"&... L31: `)}…
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist-bundle/bin/aluy.jsView on unpkg · L8
8${n}`,display:o}}case"text":return{ok:!0,observation:`O usu\xE1rio respondeu \xE0 pergunta "${t.question}": L9: ${e.text}`,display:o};case"unavailable":return{ok:!1,observation:`N\xE3o foi poss\xEDvel PERGUNTAR ao usu\xE1rio: ${e.reason}. Isto N\xC3O \xE9 um erro t\xE9cnico nem motivo para r... L10: `).map(s=>s.trim()===""?"":` ${s}`).join(` L11: `);return[`<<<DADO_NAO_CONFIAVEL origem=${o}>>>`,r,"<<<FIM_DADO>>>"].join(` L12: `)}var bH,vH,My=p(()=>{"use strict";bH="<<<FIM_DADO>>>",vH="DADO_NAO_CONFIAVEL>>>"});import{randomBytes as kH}from"node:crypto";function Py(t,e){let o=[...t,e];return o.length>Ly?o... L13: ... L23: L24: `)+G}}}]}var gs,qy,qC,Zm=p(()=>{"use strict";Ny();ic();Hy();gs="room_post",qy="room_read",qC=["ask","inform","result","ack"]});function ef(t,e,o){for(let n of t.rules)if(n.tool===e... L25: `);let s=o.indexOf(` ... L30: `)){if(r===""||r.startsWith(":"))continue;let s=r.indexOf(":"),i=s===-1?r:r.slice(0,s),a=s===-1?"":r.slice(s+1);a.startsWith(" ")&&(a=a.slice(1)),i==="event"?(e=a,n=!0):i==="data"&... L31: `)}:null}var mf=p(()=>{"use strict"});function MT(t=globalThis.process?.env??{}){let e=TT(t[_T]),o=TT(t[RT]);return{maxConsecutiveLineRepeats:e!==void 0
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist-bundle/bin/aluy.jsView on unpkg · L8
dist-bundle/index.jsView file
426Trigger-reachable chain: manifest.main -> dist-bundle/index.js L426: - Credencial S\xD3 no keychain do SO \u2014 nunca em texto em claro. L427: - Loop de agente + ferramentas nativas + controle de permiss\xE3o integrados.`;function Xe(t,e,o={}){let n=`--${e}=`;for(let r=0;r<t.length;r++){let s=t[r];if(s===`--${e}`){let i=t... L428: \u2026[truncado: corpo maior que ${e.maxBytes} bytes]`),m({status:O,body:X,...H?{contentType:H}:{}})}),D.on("close",()=>{if(c)return;let X=Buffer.concat(U).toString("utf8")+(W?` ... L430: \u2026[truncado: corpo maior que ${e.maxBytes} bytes]`;m({status:O,body:ne,...H?{contentType:H}:{}});return}d(X)})}),S=()=>{g.destroy(),d(new Error("cancelado"))},A=setTimeout(()=>... L431: ${on(S)}`}}catch(h){let y=u?`o proxy n\xE3o respondeu em ${m}ms (timeout)`:h instanceof Error?h.message:String(h);return{ok:!1,display:l,observation:`headroom_retrieve: falha ao fa... L432: [arquivo truncado: lidos ${this.maxReadBytes} de ${s} bytes]`:n}async readFileMeta(e){let o=this.workspace.resolveInside(e),{content:n,truncated:r,binary:s}=await oa(o,this.maxRead...
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist-bundle/index.jsView on unpkg · L426
assets/mem0/aluy-mem0-server.pyView file
path = assets/mem0/aluy-mem0-server.py kind = build_helper sizeBytes = 20729 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

assets/mem0/aluy-mem0-server.pyView on unpkg

Findings

2 Critical5 High6 Medium5 Low
CriticalCommand Output Exfiltrationdist-bundle/bin/aluy.js
CriticalTrigger Reachable Dangerous Capabilitydist-bundle/index.js
HighChild Processdist-bundle/bin/aluy.js
HighSame File Env Network Executiondist-bundle/bin/aluy.js
HighSandbox Evasion Gated Capabilitydist-bundle/bin/aluy.js
HighCloud Metadata Accessdist-bundle/bin/aluy.js
HighCross File Remote Execution Contextdist-bundle/bin/aluy.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist-bundle/bin/aluy.js
MediumProtestware
MediumShips Build Helperassets/mem0/aluy-mem0-server.py
MediumStructural Risk Force Deep Review
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNo License