registry  /  @rail20/cli  /  0.3.3

@rail20/cli@0.3.3

Private payments for onchain agents. CLI for RAIL20 - shield, send, swap, bridge with zero-knowledge privacy on Base and Robinhood Chain.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Explicit `deposit`, `send`, `swap`, `bridge`, and `recover` commands can move cryptocurrency. The remote RAIL20 API supplies some transaction calldata, including router transaction lists that the CLI broadcasts from a funded burner wallet. No install-time or import-time attack surface is present.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs a fund-moving `rail20` command with a configured wallet.
Impact
A compromised or malicious configured API could direct funds involved in an explicitly initiated swap, bridge, or deposit to arbitrary on-chain calls.
Mechanism
Remote API-assisted blockchain transaction preparation and burner-wallet transaction signing.
Rationale
No source evidence establishes deliberate malicious behavior, but unrestricted signing of API-supplied transaction data is a material fund-loss risk in a cryptocurrency CLI. Warn rather than block because the capability is tied to explicit user payment commands and no malicious chain is proven.
Evidence
package.jsonbin/rail20.jsREADME.md~/.rail20/wallet.json~/.rail20/config.json
Network endpoints4
api.rail20.orgmainnet.base.orgrpc.mainnet.chain.robinhood.comregistry.npmjs.org/@rail20/cli/latest

Decision evidence

public snapshot
AI called this Suspicious at 84.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `bin/rail20.js` broadcasts transaction objects returned by `/api/router/execute` from a burner wallet.
  • `bin/rail20.js` sends server-prepared deposit/swap calldata with user or burner signers.
  • The CLI handles private keys and creates burner wallets for explicit fund-moving commands.
Evidence against
  • `package.json` defines no preinstall, install, postinstall, or prepare hooks.
  • `bin/rail20.js` runs only through the explicit `rail20` bin command.
  • No shell execution, eval, dynamic code loading, credential harvesting, or AI-agent config writes were found.
  • Private keys are stored locally or used to sign; API request bodies inspected do not include the main wallet private key.
Behavioral surface
Source
CryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 61.6 KB of source, external domains: api.rail20.org, basescan.org, docs.rail20.org, registry.npmjs.org, robinhoodchain.blockscout.com, rpc.mainnet.chain.robinhood.com

Source & flagged code

2 flagged · loading source
bin/rail20.jsView file
2/** L3: * rail20 CLI - private payments for onchain agents. L4: * ... L21: // === constants === L22: const API = process.env.RAIL20_API || 'https://api.rail20.org' L23: const SIGN_MESSAGE = ... L26: 'No transaction will be sent.' L27: const CONFIG_DIR = path.join(os.homedir(), '.rail20') L28: const CONFIG_FILE = path.join(CONFIG_DIR, 'config.json') // cached RAIL20 sig ... L37: function color(text, col) { L38: return process.stdout.isTTY ? `${col}${text}${c.reset}` : text L39: }
Critical
Wallet Drain

Source uses private key material to transfer cryptocurrency funds.

bin/rail20.jsView on unpkg · L2
2Trigger-reachable chain: manifest.bin -> bin/rail20.js L2: /** L3: * rail20 CLI - private payments for onchain agents. L4: * ... L21: // === constants === L22: const API = process.env.RAIL20_API || 'https://api.rail20.org' L23: const SIGN_MESSAGE = ... L26: 'No transaction will be sent.' L27: const CONFIG_DIR = path.join(os.homedir(), '.rail20') L28: const CONFIG_FILE = path.join(CONFIG_DIR, 'config.json') // cached RAIL20 sig ... L37: function color(text, col) { L38: return process.stdout.isTTY ? `${col}${text}${c.reset}` : text L39: }
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

bin/rail20.jsView on unpkg · L2

Findings

2 Critical3 Medium3 Low
CriticalWallet Drainbin/rail20.js
CriticalTrigger Reachable Dangerous Capabilitybin/rail20.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings