registry  /  @sherwoodagent/cli  /  0.72.3

@sherwoodagent/cli@0.72.3

CLI for agent-managed investment funds — onchain DeFi funds with XMTP chat

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Installing the package invokes a lifecycle hook that performs a networked npm install and removes nested XMTP binding copies inside this package's dependency tree. Separately, explicit fund-session functionality can manage OpenClaw cron jobs.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
npm install for the lifecycle hook; explicit Sherwood fund/session commands for cron management.
Impact
Installation can mutate this package's installed dependency tree and contact the npm registry; no confirmed foreign AI-agent configuration takeover or data exfiltration was established.
Mechanism
package-scoped dependency replacement and user-commanded OpenClaw cron integration.
Rationale
The package has a concrete install-time dependency mutation that warrants a warning, but source inspection found no payload execution, credential theft, exfiltration, destructive action outside its dependency tree, or unconsented mutation of a foreign/broad AI-agent control surface.
Evidence
package.jsonscripts/pin-xmtp-bindings.cjsdist/cron-QMLRWDJG.jsdist/agent-6IRZUPFT.jsdist/chunk-GSC7PVEO.jsdist/xmtp-M32JSE4I.jsnode_modules/@xmtp/node-bindingsnode_modules/@xmtp/node-sdk/node_modules/@xmtp/node-bindings

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json defines a postinstall hook.
  • scripts/pin-xmtp-bindings.cjs runs `npm install --no-save --force` during installation.
  • The hook recursively removes nested `@xmtp/node-bindings` directories under its own node_modules.
  • dist/cron-QMLRWDJG.js can create OpenClaw cron jobs when invoked by fund-session flows.
Evidence against
  • The postinstall target is a fixed XMTP bindings version, not a fetched script or arbitrary URL.
  • Lifecycle file scopes deletion to `@xmtp/node-bindings` beneath this CLI's node_modules.
  • No eval, VM execution, shell interpolation of external input, credential harvesting, or exfiltration was found in inspected paths.
  • OpenClaw operations use fixed `execFileSync` argument arrays and are command-triggered, not install-time.
  • Runtime network calls in dist/agent-6IRZUPFT.js are DeFi data APIs aligned with the CLI's stated investment-agent functionality.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 41 file(s), 1.15 MB of source, external domains: api.alternative.me, api.binance.com, api.coingecko.com, api.dexscreener.com, api.hyperliquid.xyz, api.llama.fi, api.messari.io, api.nansen.ai, api.twitter.com, api.venice.ai, app.sherwood.sh, base-rpc.publicnode.com, basescan.org, coins.llama.fi, developers.uniswap.org, docs.venice.ai, eips.ethereum.org, explorer.testnet.chain.robinhood.com, fapi.binance.com, hyperliquid.cloud.blockscout.com, mainnet.base.org, merkl.angle.money, robinhoodchain.blockscout.com, rpc.hyperliquid.xyz, rpc.mainnet.chain.robinhood.com, rpc.testnet.chain.robinhood.com, sherwood.mypinata.cloud, sherwood.sh, spectator.sherwood.sh, stablecoins.llama.fi, testnet.app.sherwood.sh, trade-api.gateway.uniswap.org, www.sherwood.sh, yields.llama.fi

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/pin-xmtp-bindings.cjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
dist/agent-6IRZUPFT.jsView file
1082// src/providers/data/tradingview.ts L1083: import { spawn } from "child_process"; L1084: import { createInterface } from "readline";
High
Child Process

Package source references child process execution.

dist/agent-6IRZUPFT.jsView on unpkg · L1082
69try { L70: const res = await fetch(`https://api.llama.fi/tvl/${encodeURIComponent(protocol)}`); L71: if (!res.ok) throw new Error(`DefiLlama tvl error: ${res.status} ${res.statusText}`); L72: const data = await res.json(); L73: return data; ... L171: constructor() { L172: this.cacheDir = join(homedir(), ".sherwood", "agent", "cache", "coingecko"); L173: this.apiKey = process.env.COINGECKO_API_KEY; L174: if (this.apiKey) { ... L281: async getPrice(ids, vsCurrencies = ["usd"]) { L282: const params = new URLSearchParams({ L283: ids: ids.join(","),
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/agent-6IRZUPFT.jsView on unpkg · L69
scripts/pin-xmtp-bindings.cjsView file
47L48: const { execSync } = require("node:child_process"); L49: const fs = require("node:fs"); ... L55: `cd $(dirname $(readlink -f $(which sherwood)))/../lib/node_modules/@sherwoodagent/cli && ` + L56: `npm install --no-save --force ${PINNED}`; L57:
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

scripts/pin-xmtp-bindings.cjsView on unpkg · L47
dist/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @sherwoodagent/cli@0.72.0 matchedIdentity = npm:QHNoZXJ3b29kYWdlbnQvY2xp:0.72.0 similarity = 0.902 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/index.jsView on unpkg

Findings

1 Critical4 High3 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/index.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/agent-6IRZUPFT.js
HighShell
HighRuntime Package Installscripts/pin-xmtp-bindings.cjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/agent-6IRZUPFT.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings