registry  /  @nodus-ai/desktop  /  0.1.0-preview.1

@nodus-ai/desktop@0.1.0-preview.1

Nodus Desktop Runtime daemon for macOS

AI Security Review

scanned 1h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs nodus-desktop login/install/daemon, or npx @nodus-ai/desktop install.
Impact
Authenticated Nodus cloud requests can execute commands, read/write/upload/download home-directory files, and invoke configured MCP tools.
Mechanism
opt-in persistent remote desktop runtime daemon
Policy narrative
After explicit login/install, the package stores a Nodus credential, installs a LaunchAgent, and runs a daemon that polls/connects to the configured Nodus server. Authenticated cloud requests can run shell commands, read/write files under HOME, upload/download file contents, enumerate skills/MCP servers, and proxy MCP calls.
Rationale
This is a dangerous agent-facing remote-control capability with persistence, but it is explicitly user-invoked and aligned with the documented desktop runtime rather than delivered through npm lifecycle or hidden import-time behavior. Warn rather than block because no concrete malicious behavior or unconsented foreign AI-agent control-surface mutation was found.
Evidence
package.jsonREADME.mddist/cli.cjsdist/mcp.cjs~/.nodus/desktop/config.json~/.nodus/desktop/bin/cli.cjs~/.nodus/desktop/bin/mcp.cjs~/Library/LaunchAgents/ai.nodus.desktop.plist~/.codex/skills~/.agents/skills~/.codex/plugins/cache
Network endpoints7
nodus-api-preview-production.up.railway.app/desktop-devices/agent/heartbeat/desktop-devices/agent/connect/desktop-devices/agent/claim/desktop-devices/agent/complete/desktop-devices/pair/start/desktop-devices/pair/poll

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/cli.cjs exposes user home file list/read/write/upload/download handlers to cloud requests after daemon starts.
  • dist/cli.cjs runs remote-requested shell commands via /bin/zsh -lc from the user home directory.
  • dist/cli.cjs user-invoked install writes ~/Library/LaunchAgents/ai.nodus.desktop.plist with RunAtLoad/KeepAlive.
  • dist/cli.cjs inventories Codex skills, ~/.agents skills, Codex plugin cache, and enabled Codex MCP servers.
  • dist/mcp.cjs proxies tools/list, resources/read, prompts/get, and tools/call to configured MCP servers.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks.
  • README documents explicit login/install commands for a macOS desktop runtime.
  • Persistence is created by the explicit nodus-desktop install command, not npm install/import time.
  • Credential storage uses macOS security CLI for ai.nodus.desktop pairing credentials.
  • File access is constrained by resolveLocal to paths under the user home directory.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 2 file(s), 762 KB of source, external domains: github.com, json-schema.org, nodus-api-preview-production.up.railway.app, raw.githubusercontent.com, spec.openapis.org, stackoverflow.com, tools.ietf.org, www.apple.com, www.safaribooksonline.com, www.w3.org

Source & flagged code

6 flagged · loading source
dist/mcp.cjsView file
510"use strict"; L511: var cp = require("child_process"); L512: var parse3 = require_parse();
High
Child Process

Package source references child process execution.

dist/mcp.cjsView on unpkg · L510
3443sourceCode = this.opts.code.process(sourceCode, sch); L3444: const makeValidate = new Function(`${names_1.default.self}`, `${names_1.default.scope}`, sourceCode); L3445: const validate = makeValidate(this, this.scope.get());
High
Eval

Package source references dynamic code evaluation.

dist/mcp.cjsView on unpkg · L3443
dist/cli.cjsView file
3728var import_node_util = require("util"); L3729: var execFileAsync = (0, import_node_util.promisify)(import_node_child_process.execFile); L3730: var uid = typeof process.getuid === "function" ? process.getuid() : 0; ... L3739: }; L3740: var baseUrl = () => value("--server") ?? process.env.NODUS_URL ?? "https://nodus-api-preview-production.up.railway.app"; L3741: var json = async (url, init = {}) => {
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli.cjsView on unpkg · L3728
44kStatusCode: /* @__PURE__ */ Symbol("status-code"), L45: kWebSocket: /* @__PURE__ */ Symbol("websocket"), L46: NOOP: () => { ... L97: } else { L98: buf = Buffer.from(data); L99: toBuffer.readOnly = false; ... L109: }; L110: if (!process.env.WS_NO_BUFFER_UTIL) { L111: try { ... L161: * L162: * @private L163: */
High
Credential Exfiltration

Source combines credential-like environment material and outbound requests; review data flow before blocking.

dist/cli.cjsView on unpkg · L44
44Cross-file remote execution chain: dist/cli.cjs spawns dist/mcp.cjs; helper contains network access plus dynamic code execution. L44: kStatusCode: /* @__PURE__ */ Symbol("status-code"), L45: kWebSocket: /* @__PURE__ */ Symbol("websocket"), L46: NOOP: () => { ... L97: } else { L98: buf = Buffer.from(data); L99: toBuffer.readOnly = false; ... L109: }; L110: if (!process.env.WS_NO_BUFFER_UTIL) { L111: try { ... L161: * L162: * @private L163: */
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/cli.cjsView on unpkg · L44
44kStatusCode: /* @__PURE__ */ Symbol("status-code"), L45: kWebSocket: /* @__PURE__ */ Symbol("websocket"), L46: NOOP: () => { ... L97: } else { L98: buf = Buffer.from(data); L99: toBuffer.readOnly = false; ... L109: }; L110: if (!process.env.WS_NO_BUFFER_UTIL) { L111: try { ... L161: * L162: * @private L163: */
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/cli.cjsView on unpkg · L44

Findings

5 High2 Medium6 Low
HighChild Processdist/mcp.cjs
HighEvaldist/mcp.cjs
HighSame File Env Network Executiondist/cli.cjs
HighCredential Exfiltrationdist/cli.cjs
HighCross File Remote Execution Contextdist/cli.cjs
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowWeak Cryptodist/cli.cjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License