AI Security Review
scanned 3h ago · by lpm-firewall-aiExplicit payment commands can sign and broadcast cryptocurrency transactions using a supplied or locally stored private key. Remote API responses participate in transaction construction for swap and bridge flows; no install-time attack surface was found.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `rail20 login`, `deposit`, `send`, `swap`, `bridge`, or `recover`.
Impact
A user who provides a key can authorize fund-moving transactions; an API-controlled route can influence burner-wallet transaction requests.
Mechanism
Private-key wallet signing and remote-assisted on-chain transaction execution.
Rationale
No concrete malicious install-time, stealth, exfiltration, or destructive chain is present. The package nevertheless exposes a high-risk remote-assisted cryptocurrency transaction capability and should be warned rather than treated as clean.
Evidence
package.jsonbin/rail20.jsREADME.md~/.rail20/wallet.json~/.rail20/config.json
Network endpoints4
api.rail20.orgmainnet.base.orgrpc.mainnet.chain.robinhood.comregistry.npmjs.org/@rail20/cli/latest
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- `bin/rail20.js` accepts `RAIL20_KEY` or stores a private key in `~/.rail20/wallet.json`.
- User commands create ethers signers and broadcast deposits, swaps, bridges, and burner recovery transfers.
- `swap`/bridge flows obtain API-provided transaction requests and sign/send them from burner wallets.
- CLI posts signatures, wallet addresses, amounts, and burner encryption data to `https://api.rail20.org`.
Evidence against
- `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
- Entrypoint runs only through the explicit `rail20` bin command.
- Filesystem writes are limited to `~/.rail20/config.json` and `~/.rail20/wallet.json`; logout removes those same files.
- No child-process execution, eval, dynamic code loading, AI-agent config writes, or unrelated file harvesting found.
Behavioral surface
CryptoEnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcebin/rail20.jsView file
2/**
L3: * rail20 CLI - private payments for onchain agents.
L4: *
...
L21: // === constants ===
L22: const API = process.env.RAIL20_API || 'https://api.rail20.org'
L23: const SIGN_MESSAGE =
...
L26: 'No transaction will be sent.'
L27: const CONFIG_DIR = path.join(os.homedir(), '.rail20')
L28: const CONFIG_FILE = path.join(CONFIG_DIR, 'config.json') // cached RAIL20 sig
...
L37: function color(text, col) {
L38: return process.stdout.isTTY ? `${col}${text}${c.reset}` : text
L39: }
Critical
Wallet Drain
Source uses private key material to transfer cryptocurrency funds.
bin/rail20.jsView on unpkg · L22Trigger-reachable chain: manifest.bin -> bin/rail20.js
L2: /**
L3: * rail20 CLI - private payments for onchain agents.
L4: *
...
L21: // === constants ===
L22: const API = process.env.RAIL20_API || 'https://api.rail20.org'
L23: const SIGN_MESSAGE =
...
L26: 'No transaction will be sent.'
L27: const CONFIG_DIR = path.join(os.homedir(), '.rail20')
L28: const CONFIG_FILE = path.join(CONFIG_DIR, 'config.json') // cached RAIL20 sig
...
L37: function color(text, col) {
L38: return process.stdout.isTTY ? `${col}${text}${c.reset}` : text
L39: }
Critical
Trigger Reachable Dangerous Capability
A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
bin/rail20.jsView on unpkg · L2Findings
2 Critical3 Medium3 Low
CriticalWallet Drainbin/rail20.js
CriticalTrigger Reachable Dangerous Capabilitybin/rail20.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings