registry  /  @miomioos/mio-agent  /  0.3.10

@miomioos/mio-agent@0.3.10

Mio Agent — background AI worker daemon for MioIsland. Bridges Claude Code sessions to the MioMioOS server.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack surface is established, but the package is a powerful first-party AI agent daemon with explicit background installation and runtime agent control. Risk is user-invoked and package-aligned rather than npm install-time hijacking.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs mio-agent login/start/run/install/pair-phone or daemon receives authorized server events.
Impact
Can run local agent sessions, persist as a background service when explicitly installed, and send/read/update Mio workspace data via the configured server token.
Mechanism
authorized AI-agent daemon, local proxy wrapper, LaunchAgent setup, and Claude/Codex subprocess orchestration
Rationale
Static inspection shows a legitimate but high-capability MioMioOS agent daemon: network, tokens, subprocesses, local wrappers, and LaunchAgent persistence are aligned with documented user commands and not triggered by npm install. Because it can operate an AI-agent control surface with permission-bypass runtime flags and explicit background setup, warn rather than block.
Evidence
package.jsonREADME.mddist/cli/index.jsdist/runtimes/skills/mio-messaging.mddist/runtimes/skills/mio-tasks.mddist/runtimes/skills/mio-attachments.md~/.mio/agent.json~/.mio/bin/mio-agent~/Library/LaunchAgents/io.miomioos.mio-agent.plist~/.mio/logs/mio-agent.log~/.mio/logs/mio-agent-error.log~/.mio/agent-proxy-tokens/<agent>/<launch>.token<agent workspace>/.mio/mio<agent workspace>/.mio/mcp-config.json<agent workspace>/.claude/skills/*/SKILL.md
Network endpoints4
mio.wdao.chatgithub.com/MioMioOS/mio-agent/releases/download/v<version>/127.0.0.1:7878127.0.0.1:<ephemeral>/act

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/cli/index.js spawns Claude/Codex agent runtimes and injects a local mio wrapper into PATH.
  • dist/cli/index.js launches Claude with bypass/skip-permissions flags for persona extraction.
  • dist/cli/index.js explicit `install --background --version` writes a LaunchAgent plist and downloads a release binary.
  • dist/cli/index.js forwards agent actions to configured Mio server using a machine token.
  • dist/runtimes/skills/*.md provide agent skills for messaging, tasks, reminders, attachments, profile updates.
Evidence against
  • package.json has no install/preinstall/postinstall hook; only prepublishOnly build script.
  • Persistence is behind explicit `mio-agent install --background --version`, not npm install-time execution.
  • Login stores a package-owned machine token in macOS Keychain and config under ~/.mio after QR approval.
  • Release download is GitHub MioMioOS-owned and verifies manifest plus SHA-256 before installing.
  • Network endpoints are package-aligned: default server and MioMioOS GitHub releases.
  • No source evidence of broad credential harvesting, destructive behavior, or covert exfiltration.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
NoLicense
scanned 1 file(s), 315 KB of source, external domains: 127.0.0.1, github.com, mio.wdao.chat, www.apple.com

Source & flagged code

6 flagged · loading source
dist/cli/index.jsView file
1#!/usr/bin/env node L2: import{createRequire as ___cr}from'module';import{fileURLToPath as ___fu}from'url';import{dirname as ___dn}from'path';const require=___cr(import.meta.url);const __filename=___fu(im... L3: var ff=Object.create;var bs=Object.defineProperty;var hf=Object.getOwnPropertyDescriptor;var pf=Object.getOwnPropertyNames;var gf=Object.getPrototypeOf,mf=Object.prototype.hasOwnPr... L4: `),1;let o=process.env.MIO_AGENT_PROXY_TOKEN_FILE;if(!o)return r.write(JSON.stringify({ok:!1,code:"MISSING_PROXY_TOKEN",message:"MIO_AGENT_PROXY_TOKEN_FILE is not set"})+` ... L102: `)}}async function Xf(n,e,t,r,s,i){switch(n){case"upload":return Qf(e,t,r,s,i);case"view":return Zf(e,t,r,s,i);default:return i.write(JSON.stringify({ok:!1,code:"UNKNOWN_COMMAND",m... L103: `),1}}async function Es(n,e,t,r){let s=bf(n).toLowerCase(),i=yo[s];if(!i){let u=Object.keys(yo).join(", ");return{ok:!1,error:{ok:!1,code:"UNSUPPORTED_FILE_TYPE",message:`Cannot de... L104: `),1;let o=U(n,"--target");if(!o)return s.write(JSON.stringify({ok:!1,code:"MISSING_ARG",message:"--target <#name> is required for attachment upload"})+` ... L124: `),t.avatar!==void 0){let a=Buffer.byteLength(t.avatar,"utf8");e.write
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/cli/index.jsView on unpkg · L1
1Trigger-reachable chain: manifest.main -> dist/cli/index.js L1: #!/usr/bin/env node L2: import{createRequire as ___cr}from'module';import{fileURLToPath as ___fu}from'url';import{dirname as ___dn}from'path';const require=___cr(import.meta.url);const __filename=___fu(im... L3: var ff=Object.create;var bs=Object.defineProperty;var hf=Object.getOwnPropertyDescriptor;var pf=Object.getOwnPropertyNames;var gf=Object.getPrototypeOf,mf=Object.prototype.hasOwnPr... L4: `),1;let o=process.env.MIO_AGENT_PROXY_TOKEN_FILE;if(!o)return r.write(JSON.stringify({ok:!1,code:"MISSING_PROXY_TOKEN",message:"MIO_AGENT_PROXY_TOKEN_FILE is not set"})+` ... L102: `)}}async function Xf(n,e,t,r,s,i){switch(n){case"upload":return Qf(e,t,r,s,i);case"view":return Zf(e,t,r,s,i);default:return i.write(JSON.stringify({ok:!1,code:"UNKNOWN_COMMAND",m... L103: `),1}}async function Es(n,e,t,r){let s=bf(n).toLowerCase(),i=yo[s];if(!i){let u=Object.keys(yo).join(", ");return{ok:!1,error:{ok:!1,code:"UNSUPPORTED_FILE_TYPE",message:`Cannot de... L104: `),1;let o=U(n,"--target");if(!o)return s.write(JSON.stringify({ok:!1,code:"MISSING_ARG",message:"--target <#name> is required for attachment upload"})+` ... L124: `),t.avat…
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/cli/index.jsView on unpkg · L1
189(and others from agentProxy.ts / the server) L190: `});var xo={};$e(xo,{runAgentcliCommand:()=>ih});async function ih(){return vo(process.argv.slice(3),{stdin:process.stdin,stdout:process.stdout,stderr:process.stderr})}var To=O(()=... L191: `;for(var f=0;f<a;f+=2){s+=l.WHITE_ALL;for(var p=0;p<a;p++)c[f][p]===o&&c[f+1][p]===o?s+=l.WHITE_ALL:c[f][p]===o&&c[f+1][p]===i?s+=l.WHITE_BLACK:c[f][p]===i&&c[f+1][p]===o?s+=l.BLA...
High
Child Process

Package source references child process execution.

dist/cli/index.jsView on unpkg · L189
189(and others from agentProxy.ts / the server) L190: `});var xo={};$e(xo,{runAgentcliCommand:()=>ih});async function ih(){return vo(process.argv.slice(3),{stdin:process.stdin,stdout:process.stdout,stderr:process.stderr})}var To=O(()=... L191: `;for(var f=0;f<a;f+=2){s+=l.WHITE_ALL;for(var p=0;p<a;p++)c[f][p]===o&&c[f+1][p]===o?s+=l.WHITE_ALL:c[f][p]===o&&c[f+1][p]===i?s+=l.WHITE_BLACK:c[f][p]===i&&c[f+1][p]===o?s+=l.BLA... ... L201: --help Show this message L202: `)}async function vh(n){let e;try{({values:e}=ph({args:n,options:{server:{type:"string",default:Is},"device-name":{type:"string",default:kn.hostname()},help:{type:"boolean",default... L203: `);let s=e?["-n",String(t),"-F",...r]:["-n",String(t),...r],i=kh("tail",s,{stdio:"inherit"});return await new Promise(o=>{i.on("exit",c=>o(c??0)),i.on("error",c=>{console.error(`Fa... L204: `);return _.substr(0,_.length-2)},this.getRequestHeader=function(_){return typeof _=="string"&&d[_]?d[_]:""},this.send=function(_){if(this.readyState!=this.OPENED)throw new Error("... L205: `).join(`
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli/index.jsView on unpkg · L189
189(and others from agentProxy.ts / the server) L190: `});var xo={};$e(xo,{runAgentcliCommand:()=>ih});async function ih(){return vo(process.argv.slice(3),{stdin:process.stdin,stdout:process.stdout,stderr:process.stderr})}var To=O(()=... L191: `;for(var f=0;f<a;f+=2){s+=l.WHITE_ALL;for(var p=0;p<a;p++)c[f][p]===o&&c[f+1][p]===o?s+=l.WHITE_ALL:c[f][p]===o&&c[f+1][p]===i?s+=l.WHITE_BLACK:c[f][p]===i&&c[f+1][p]===o?s+=l.BLA... ... L201: --help Show this message L202: `)}async function vh(n){let e;try{({values:e}=ph({args:n,options:{server:{type:"string",default:Is},"device-name":{type:"string",default:kn.hostname()},help:{type:"boolean",default... L203: `);let s=e?["-n",String(t),"-F",...r]:["-n",String(t),...r],i=kh("tail",s,{stdio:"inherit"});return await new Promise(o=>{i.on("exit",c=>o(c??0)),i.on("error",c=>{console.error(`Fa...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/cli/index.jsView on unpkg · L189
1#!/usr/bin/env node L2: import{createRequire as ___cr}from'module';import{fileURLToPath as ___fu}from'url';import{dirname as ___dn}from'path';const require=___cr(import.meta.url);const __filename=___fu(im... L3: var ff=Object.create;var bs=Object.defineProperty;var hf=Object.getOwnPropertyDescriptor;var pf=Object.getOwnPropertyNames;var gf=Object.getPrototypeOf,mf=Object.prototype.hasOwnPr... L4: `),1;let o=process.env.MIO_AGENT_PROXY_TOKEN_FILE;if(!o)return r.write(JSON.stringify({ok:!1,code:"MISSING_PROXY_TOKEN",message:"MIO_AGENT_PROXY_TOKEN_FILE is not set"})+` ... L102: `)}}async function Xf(n,e,t,r,s,i){switch(n){case"upload":return Qf(e,t,r,s,i);case"view":return Zf(e,t,r,s,i);default:return i.write(JSON.stringify({ok:!1,code:"UNKNOWN_COMMAND",m... L103: `),1}}async function Es(n,e,t,r){let s=bf(n).toLowerCase(),i=yo[s];if(!i){let u=Object.keys(yo).join(", ");return{ok:!1,error:{ok:!1,code:"UNSUPPORTED_FILE_TYPE",message:`Cannot de... L104: `),1;let o=U(n,"--target");if(!o)return s.write(JSON.stringify({ok:!1,code:"MISSING_ARG",message:"--target <#name> is required for attachment upload"})+` ... L124: `),t.avatar!==void 0){let a=Buffer.byteLength(t.avatar,"utf8");e.write
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/cli/index.jsView on unpkg · L1

Findings

2 Critical3 High4 Medium6 Low
CriticalCredential Exfiltrationdist/cli/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/cli/index.js
HighChild Processdist/cli/index.js
HighSame File Env Network Executiondist/cli/index.js
HighCommand Output Exfiltrationdist/cli/index.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/cli/index.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License