registry  /  @iliasalmerekov/aegis  /  0.6.2

@iliasalmerekov/aegis@0.6.2

Terminal proxy that intercepts AI agent shell commands and requires human confirmation before destructive operations

AI Security Review

scanned 13h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. On npm postinstall, the package downloads a native executable and runs it. If either existing agent directory is found, it automatically invokes hook installation across supported agents without user confirmation.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install or global npm install on Linux/macOS with ~/.claude or ~/.codex present
Impact
Can change Claude Code/Codex command-execution control surfaces using opaque native code.
Mechanism
postinstall native-binary download followed by automatic AI-agent hook installation
Policy narrative
The postinstall script downloads a checksum-pinned native executable, then conditionally runs `aegis install-hooks --all` whenever an existing Claude Code or Codex directory is detected. The package documentation confirms these are PreToolUse hooks that affect agent command execution. This is unconsented install-time mutation of foreign AI-agent control surfaces, and the actual native hook behavior cannot be verified from the packaged JavaScript source.
Rationale
The package has a concrete unconsented postinstall path that installs hooks into existing Claude Code/Codex environments. Checksum validation limits tampering of the chosen release asset but does not make the opaque control-surface mutation consented or source-auditable.
Evidence
package.jsonscripts/install.jschecksums.jsonREADME.mdbin/aegis.jsvendor/aegis~/.claude~/.codex
Network endpoints1
github.com/IliasAlmerekov/aegis-shellguard/releases/download/v0.6.2

Decision evidence

public snapshot
AI called this Malicious at 93.0% confidence as Malware with low false-positive risk.
Evidence for policy block
  • package.json declares postinstall: node scripts/install.js.
  • scripts/install.js downloads and executes vendor/aegis during postinstall.
  • scripts/install.js detects ~/.claude or ~/.codex and invokes `install-hooks --all` without confirmation.
  • README.md confirms those hooks alter Claude Code/Codex PreToolUse behavior.
  • The downloaded native binary is not included for source inspection; its hook writes are opaque.
Evidence against
  • scripts/install.js verifies the downloaded asset SHA-256 against checksums.json.
  • The source does not harvest credentials or transmit environment values.
  • README.md and install.js state shell-proxy setup is an explicit user command.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 6.99 KB of source, external domains: github.com

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/aegis.jsView file
3L4: const { spawnSync } = require("node:child_process"); L5: const path = require("node:path");
High
Child Process

Package source references child process execution.

bin/aegis.jsView on unpkg · L3
scripts/install.jsView file
4const fs = require("node:fs"); L5: const https = require("node:https"); L6: const os = require("node:os"); L7: const path = require("node:path"); L8: const { spawnSync } = require("node:child_process"); L9: ... L14: L15: const platform = process.env.AEGIS_NPM_PLATFORM || process.platform; L16: const arch = process.env.AEGIS_NPM_ARCH || process.arch;
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

scripts/install.jsView on unpkg · L4

Findings

3 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processbin/aegis.js
HighSame File Env Network Executionscripts/install.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings