registry  /  @rail20/cli  /  0.3.5

@rail20/cli@0.3.5

Private payments for onchain agents. CLI for RAIL20 - shield, send, swap, bridge with zero-knowledge privacy on Base and Robinhood Chain.

AI Security Review

scanned 51m ago · by lpm-firewall-ai

Explicit `swap` and router-bridge commands create burner wallets and upload encrypted burner keys. The same backend later receives the signature used as the encryption-key derivation material and API-controlled transaction payloads are broadcast by local signers.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `rail20 swap` or router `rail20 bridge` with a configured wallet.
Impact
The default API can correlate and decrypt burner keys, then control funds held in those burner wallets; API-generated transactions also receive local signatures.
Mechanism
Recoverable burner-key disclosure to the API plus remote transaction construction.
Rationale
No install-time malware or unrelated host compromise is present, but the source creates a concrete backend-accessible burner-key exposure in a financial CLI. This is a serious package security vulnerability rather than proof of intentional malware.
Evidence
bin/rail20.jspackage.json~/.rail20/wallet.json~/.rail20/config.json
Network endpoints4
api.rail20.org/api/burner/registerapi.rail20.org/api/swap-privateapi.rail20.org/api/router/executeapi.rail20.org/api/deposit/prepare

Decision evidence

public snapshot
AI called this Suspicious at 96.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
  • `bin/rail20.js` encrypts burner private keys with a key derived from the RAIL20 sign-in signature.
  • Swap/bridge flows send that same `signature` to `https://api.rail20.org` alongside an identifiable burner address.
  • The API receives registered ciphertext and can correlate it with later `/api/swap-private` requests, enabling burner-key recovery.
  • User-invoked flows broadcast API-supplied transaction payloads from the main wallet or burner.
Evidence against
  • `package.json` contains no install or lifecycle scripts.
  • Entrypoint execution is limited to explicit `rail20` commands.
  • No child-process, eval, dynamic code loading, or AI-agent control-surface mutation was found.
  • Main wallet private key is stored locally only after explicit `rail20 login`; source does not directly POST it.
Behavioral surface
Source
CryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 66.2 KB of source, external domains: api.rail20.org, basescan.org, docs.rail20.org, registry.npmjs.org, robinhoodchain.blockscout.com, rpc.mainnet.chain.robinhood.com

Source & flagged code

2 flagged · loading source
bin/rail20.jsView file
2/** L3: * rail20 CLI - private payments for onchain agents. L4: * ... L21: // === constants === L22: const API = process.env.RAIL20_API || 'https://api.rail20.org' L23: const SIGN_MESSAGE = ... L26: 'No transaction will be sent.' L27: const CONFIG_DIR = path.join(os.homedir(), '.rail20') L28: const CONFIG_FILE = path.join(CONFIG_DIR, 'config.json') // cached RAIL20 sig ... L37: function color(text, col) { L38: return process.stdout.isTTY ? `${col}${text}${c.reset}` : text L39: }
Critical
Wallet Drain

Source uses private key material to transfer cryptocurrency funds.

bin/rail20.jsView on unpkg · L2
2Trigger-reachable chain: manifest.bin -> bin/rail20.js L2: /** L3: * rail20 CLI - private payments for onchain agents. L4: * ... L21: // === constants === L22: const API = process.env.RAIL20_API || 'https://api.rail20.org' L23: const SIGN_MESSAGE = ... L26: 'No transaction will be sent.' L27: const CONFIG_DIR = path.join(os.homedir(), '.rail20') L28: const CONFIG_FILE = path.join(CONFIG_DIR, 'config.json') // cached RAIL20 sig ... L37: function color(text, col) { L38: return process.stdout.isTTY ? `${col}${text}${c.reset}` : text L39: }
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

bin/rail20.jsView on unpkg · L2

Findings

2 Critical3 Medium3 Low
CriticalWallet Drainbin/rail20.js
CriticalTrigger Reachable Dangerous Capabilitybin/rail20.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings