registry  /  @hiperplano/aluy-cli  /  1.0.0-rc.95

@hiperplano/aluy-cli@1.0.0-rc.95

Aluy CLI — TUI (Ink) + binário `aluy` + wiring. Consome @hiperplano/aluy-cli-core (engine portável). Credenciais só no keychain do SO.

AI Security Review

scanned 5d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The high-risk primitives are consistent with a user-invoked terminal AI agent and local optional sidecars, with no install-time hook or hidden exfiltration path found.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs the aluy CLI or optional onboard/bootstrap/login features
Impact
Can execute commands, edit files, use network providers, and manage local ~/.aluy state when the user invokes/configures it
Mechanism
User-invoked AI agent tooling with permission mediation
Rationale
Static inspection shows a bundled AI terminal agent with expected dangerous capabilities gated by user invocation and permission logic, and no lifecycle hook, covert credential harvesting, or non-package-aligned exfiltration. The scanner's command/network findings are explained by the package's documented CLI agent functionality.
Evidence
package.jsondist-bundle/bin/aluy.jsdist-bundle/index.jsassets/mem0/aluy-mem0-server.pyREADME.md~/.aluy/config.json~/.aluy/providers.json~/.aluy/mcp.json~/.aluy/memory~/.aluy/todos.json~/.aluy/undoALUY.md.aluy/agents/exemplo.md.aluy/workflows/exemplo.md.aluy/commands/exemplo.md
Network endpoints9
api.aluy.app/api/v1broker.dev.aluy.exampleclaude.ai/oauth/authorizeconsole.anthropic.com/v1/oauth/tokenauth.openai.com/oauth/authorizeauth.openai.com/oauth/token127.0.0.1:49876/callback127.0.0.1:11435127.0.0.1:11434

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist-bundle/bin/aluy.js and dist-bundle/index.js implement an agent CLI with shell execution, file writes, MCP, memory, and login/token flows
  • Network endpoints include package-aligned Aluy broker/identity URLs, provider OAuth URLs, DuckDuckGo search, and loopback services
  • assets/mem0/aluy-mem0-server.py runs a local HTTP memory sidecar and writes under ~/.aluy/memory
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle scripts
  • bin/main entrypoints are explicit CLI entrypoints, not install-time execution
  • Shell execution is routed through permission policy; run_command defaults to ask and sensitive reads/config writes are denied or prompted
  • Credential storage uses @napi-rs/keyring and env fallback for user-configured providers; no hardcoded exfiltration sink found
  • Mem0 endpoints are loopback-only defaults: http://127.0.0.1:11435 and Ollama http://127.0.0.1:11434
  • README describes the same agent CLI, BYO provider, ~/.aluy config, MCP, and optional local memory behavior
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNativeBindingsNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
Manifest
NoLicense
scanned 2 file(s), 1.92 MB of source, external domains: 127.0.0.1, api.aluy.app, api.anthropic.com, api.deepseek.com, api.groq.com, api.mistral.ai, api.openai.com, api.telegram.org, api.x.ai, auth.openai.com, broker.dev.aluy.example, claude.ai, console.anthropic.com, duckduckgo.com, generativelanguage.googleapis.com, github.com, ollama.com, openrouter.ai, registry.npmjs.org

Source & flagged code

9 flagged · loading source
dist-bundle/bin/aluy.jsView file
129${n.snippet}`.trimEnd());return[`Resultados de busca para "${t}" (DuckDuckGo):`,...o,"","(As URLs acima N\xC3O foram buscadas. Para abrir uma, use web_fetch \u2014 ela passar\xE1 n... L130: `)}var f6,p6,ER,h6,AR,ap,TR=p(()=>{"use strict";$r();ip();Pk();f6=8;p6=Object.freeze({type:"object",properties:{url:{type:"string",description:"OBRIGAT\xD3RIO. A URL http(s) a busc... L131: ... L135: ${t.trim()}`}}function IR(t,e,o=Eu){let{older:n,recent:r}=dp(t,o);if(n.length===0)return{history:t,stats:{turnsBefore:t.length,turnsAfter:t.length,summarizedTurns:0}};let s=[FR(e,n... L136: `),Eu=4,cp=1500,up=.4,lp=48e3;Mi=class extends Error{constructor(){super("hist\xF3rico curto demais \u2014 nada a compactar."),this.name="NothingToCompactError"}},wu=class{model;ke... L137: `;case"t":return" ";case"r":return"\r";case'"':return'"';case"\\":return"\\";default:throw new be(`config.toml:${e}: escape n\xE3o suportado "\\${i}".`)}})}function I6(t,e,o){let n... ... L141: `)}function nG(t,e){return t.length<=e?t:t.slice(0,e-1).trimEnd()+"\u2026"}var TO=p(()=>{"use strict"});var DO=p(()=>{"use strict";Ap();lO();cO();uO();dO();fO();yO();zm();wO();TO()... L142: `,r;try{r=SG(o,_x.O_CREAT|_x.O_EXCL|_x.
Critical
Command Output Exfiltration

Source executes local commands and sends command output to an external endpoint.

dist-bundle/bin/aluy.jsView on unpkg · L129
88L89: `):void 0}function t_(t,e,o){if(o===void 0)return e;let n=Gv(t.model);return n===void 0?e:o(n)}var Y0,V0,X0,Ai,Xv,J0,Q0,yW,Jv,Zc,Qv=p(()=>{"use strict";Sv();zv();Kv();fi();qv();Vf(... L90:
High
Child Process

Package source references child process execution.

dist-bundle/bin/aluy.jsView on unpkg · L88
135${t.trim()}`}}function IR(t,e,o=Eu){let{older:n,recent:r}=dp(t,o);if(n.length===0)return{history:t,stats:{turnsBefore:t.length,turnsAfter:t.length,summarizedTurns:0}};let s=[FR(e,n... L136: `),Eu=4,cp=1500,up=.4,lp=48e3;Mi=class extends Error{constructor(){super("hist\xF3rico curto demais \u2014 nada a compactar."),this.name="NothingToCompactError"}},wu=class{model;ke... L137: `;case"t":return" ";case"r":return"\r";case'"':return'"';case"\\":return"\\";default:throw new be(`config.toml:${e}: escape n\xE3o suportado "\\${i}".`)}})}function I6(t,e,o){let n... ... L141: `)}function nG(t,e){return t.length<=e?t:t.slice(0,e-1).trimEnd()+"\u2026"}var TO=p(()=>{"use strict"});var DO=p(()=>{"use strict";Ap();lO();cO();uO();dO();fO();yO();zm();wO();TO()... L142: `,r;try{r=SG(o,_x.O_CREAT|_x.O_EXCL|_x.O_WRONLY,_G),wG(r,n),QO(r),r=void 0,CG(o,this.file)}catch(s){if(r!==void 0)try{QO(r)}catch{}try{TG(o)}catch{}throw s}}}});function Lx(t){let ... L143: `}`)}}else process.stderr.write(`${l?"\r":""} baixando ${e}... ${m} MB${l?"":`
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist-bundle/bin/aluy.jsView on unpkg · L135
8${n}`,display:o}}case"text":return{ok:!0,observation:`O usu\xE1rio respondeu \xE0 pergunta "${t.question}": L9: ${e.text}`,display:o};case"unavailable":return{ok:!1,observation:`N\xE3o foi poss\xEDvel PERGUNTAR ao usu\xE1rio: ${e.reason}. Isto N\xC3O \xE9 um erro t\xE9cnico nem motivo para r... L10: `).map(s=>s.trim()===""?"":` ${s}`).join(` L11: `);return[`<<<DADO_NAO_CONFIAVEL origem=${o}>>>`,r,"<<<FIM_DADO>>>"].join(` L12: `)}var vH,kH,Ly=p(()=>{"use strict";vH="<<<FIM_DADO>>>",kH="DADO_NAO_CONFIAVEL>>>"});import{randomBytes as xH}from"node:crypto";function Fy(t,e){let o=[...t,e];return o.length>Py?o... L13: ... L23: L24: `)+G}}}]}var bs,Wy,qC,tf=p(()=>{"use strict";$y();ac();qy();bs="room_post",Wy="room_read",qC=["ask","inform","result","ack"]});function of(t,e,o){for(let n of t.rules)if(n.tool===e... L25: `);let s=o.indexOf(` ... L30: `)){if(r===""||r.startsWith(":"))continue;let s=r.indexOf(":"),i=s===-1?r:r.slice(0,s),a=s===-1?"":r.slice(s+1);a.startsWith(" ")&&(a=a.slice(1)),i==="event"?(e=a,n=!0):i==="data"&... L31: `)}:null}var pf=p(()=>{"use strict"});function MT(t=globalThis.process?.env??{}){let e=TT(t[_T]),o=TT(t[RT]);return{maxConsecutiveLineRepeats:e!==void 0
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist-bundle/bin/aluy.jsView on unpkg · L8
8${n}`,display:o}}case"text":return{ok:!0,observation:`O usu\xE1rio respondeu \xE0 pergunta "${t.question}": L9: ${e.text}`,display:o};case"unavailable":return{ok:!1,observation:`N\xE3o foi poss\xEDvel PERGUNTAR ao usu\xE1rio: ${e.reason}. Isto N\xC3O \xE9 um erro t\xE9cnico nem motivo para r... L10: `).map(s=>s.trim()===""?"":` ${s}`).join(` L11: `);return[`<<<DADO_NAO_CONFIAVEL origem=${o}>>>`,r,"<<<FIM_DADO>>>"].join(` L12: `)}var vH,kH,Ly=p(()=>{"use strict";vH="<<<FIM_DADO>>>",kH="DADO_NAO_CONFIAVEL>>>"});import{randomBytes as xH}from"node:crypto";function Fy(t,e){let o=[...t,e];return o.length>Py?o... L13: ... L23: L24: `)+G}}}]}var bs,Wy,qC,tf=p(()=>{"use strict";$y();ac();qy();bs="room_post",Wy="room_read",qC=["ask","inform","result","ack"]});function of(t,e,o){for(let n of t.rules)if(n.tool===e... L25: `);let s=o.indexOf(` ... L30: `)){if(r===""||r.startsWith(":"))continue;let s=r.indexOf(":"),i=s===-1?r:r.slice(0,s),a=s===-1?"":r.slice(s+1);a.startsWith(" ")&&(a=a.slice(1)),i==="event"?(e=a,n=!0):i==="data"&... L31: `)}:null}var pf=p(()=>{"use strict"});function MT(t=globalThis.process?.env??{}){let e=TT(t[_T]),o=TT(t[RT]);return{maxConsecutiveLineRepeats:e!==void 0
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist-bundle/bin/aluy.jsView on unpkg · L8
8Cross-file remote execution chain: dist-bundle/bin/aluy.js spawns dist-bundle/index.js; helper contains network access plus dynamic code execution. L8: ${n}`,display:o}}case"text":return{ok:!0,observation:`O usu\xE1rio respondeu \xE0 pergunta "${t.question}": L9: ${e.text}`,display:o};case"unavailable":return{ok:!1,observation:`N\xE3o foi poss\xEDvel PERGUNTAR ao usu\xE1rio: ${e.reason}. Isto N\xC3O \xE9 um erro t\xE9cnico nem motivo para r... L10: `).map(s=>s.trim()===""?"":` ${s}`).join(` L11: `);return[`<<<DADO_NAO_CONFIAVEL origem=${o}>>>`,r,"<<<FIM_DADO>>>"].join(` L12: `)}var vH,kH,Ly=p(()=>{"use strict";vH="<<<FIM_DADO>>>",kH="DADO_NAO_CONFIAVEL>>>"});import{randomBytes as xH}from"node:crypto";function Fy(t,e){let o=[...t,e];return o.length>Py?o... L13: ... L23: L24: `)+G}}}]}var bs,Wy,qC,tf=p(()=>{"use strict";$y();ac();qy();bs="room_post",Wy="room_read",qC=["ask","inform","result","ack"]});function of(t,e,o){for(let n of t.rules)if(n.tool===e... L25: `);let s=o.indexOf(` ... L30: `)){if(r===""||r.startsWith(":"))continue;let s=r.indexOf(":"),i=s===-1?r:r.slice(0,s),a=s===-1?"":r.slice(s+1);a.startsWith(" ")&&(a=a.slice(1)),i==="event"?(e=a,n=!0):i==="data"&... L31: `)}…
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist-bundle/bin/aluy.jsView on unpkg · L8
8${n}`,display:o}}case"text":return{ok:!0,observation:`O usu\xE1rio respondeu \xE0 pergunta "${t.question}": L9: ${e.text}`,display:o};case"unavailable":return{ok:!1,observation:`N\xE3o foi poss\xEDvel PERGUNTAR ao usu\xE1rio: ${e.reason}. Isto N\xC3O \xE9 um erro t\xE9cnico nem motivo para r... L10: `).map(s=>s.trim()===""?"":` ${s}`).join(` L11: `);return[`<<<DADO_NAO_CONFIAVEL origem=${o}>>>`,r,"<<<FIM_DADO>>>"].join(` L12: `)}var vH,kH,Ly=p(()=>{"use strict";vH="<<<FIM_DADO>>>",kH="DADO_NAO_CONFIAVEL>>>"});import{randomBytes as xH}from"node:crypto";function Fy(t,e){let o=[...t,e];return o.length>Py?o... L13: ... L23: L24: `)+G}}}]}var bs,Wy,qC,tf=p(()=>{"use strict";$y();ac();qy();bs="room_post",Wy="room_read",qC=["ask","inform","result","ack"]});function of(t,e,o){for(let n of t.rules)if(n.tool===e... L25: `);let s=o.indexOf(` ... L30: `)){if(r===""||r.startsWith(":"))continue;let s=r.indexOf(":"),i=s===-1?r:r.slice(0,s),a=s===-1?"":r.slice(s+1);a.startsWith(" ")&&(a=a.slice(1)),i==="event"?(e=a,n=!0):i==="data"&... L31: `)}:null}var pf=p(()=>{"use strict"});function MT(t=globalThis.process?.env??{}){let e=TT(t[_T]),o=TT(t[RT]);return{maxConsecutiveLineRepeats:e!==void 0
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist-bundle/bin/aluy.jsView on unpkg · L8
dist-bundle/index.jsView file
426Trigger-reachable chain: manifest.main -> dist-bundle/index.js L426: - Credencial S\xD3 no keychain do SO \u2014 nunca em texto em claro. L427: - Loop de agente + ferramentas nativas + controle de permiss\xE3o integrados.`;function Xe(t,e,o={}){let n=`--${e}=`;for(let r=0;r<t.length;r++){let s=t[r];if(s===`--${e}`){let i=t... L428: \u2026[truncado: corpo maior que ${e.maxBytes} bytes]`),m({status:O,body:X,...H?{contentType:H}:{}})}),D.on("close",()=>{if(c)return;let X=Buffer.concat(U).toString("utf8")+(W?` ... L430: \u2026[truncado: corpo maior que ${e.maxBytes} bytes]`;m({status:O,body:ne,...H?{contentType:H}:{}});return}d(X)})}),S=()=>{g.destroy(),d(new Error("cancelado"))},A=setTimeout(()=>... L431: ${nn(S)}`}}catch(h){let y=u?`o proxy n\xE3o respondeu em ${m}ms (timeout)`:h instanceof Error?h.message:String(h);return{ok:!1,display:l,observation:`headroom_retrieve: falha ao fa... L432: [arquivo truncado: lidos ${this.maxReadBytes} de ${s} bytes]`:n}async readFileMeta(e){let o=this.workspace.resolveInside(e),{content:n,truncated:r,binary:s}=await na(o,this.maxRead...
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist-bundle/index.jsView on unpkg · L426
assets/mem0/aluy-mem0-server.pyView file
path = assets/mem0/aluy-mem0-server.py kind = build_helper sizeBytes = 20729 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

assets/mem0/aluy-mem0-server.pyView on unpkg

Findings

2 Critical5 High6 Medium5 Low
CriticalCommand Output Exfiltrationdist-bundle/bin/aluy.js
CriticalTrigger Reachable Dangerous Capabilitydist-bundle/index.js
HighChild Processdist-bundle/bin/aluy.js
HighSame File Env Network Executiondist-bundle/bin/aluy.js
HighSandbox Evasion Gated Capabilitydist-bundle/bin/aluy.js
HighCloud Metadata Accessdist-bundle/bin/aluy.js
HighCross File Remote Execution Contextdist-bundle/bin/aluy.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist-bundle/bin/aluy.js
MediumProtestware
MediumShips Build Helperassets/mem0/aluy-mem0-server.py
MediumStructural Risk Force Deep Review
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNo License