registry  /  @sherwoodagent/cli  /  0.73.3

@sherwoodagent/cli@0.73.3

CLI for agent-managed investment funds — onchain DeFi funds with XMTP chat

AI Security Review

scanned 4h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
`npm install` for dependency pinning; explicit `sherwood fund` create/join workflows for cron registration
Impact
Modifies its own dependency tree at install time and can establish recurring agent tasks after user action.
Mechanism
Forced XMTP binding installation plus user-command OpenClaw cron registration
Rationale
Source inspection confirms risky lifecycle and agent-scheduling behavior, but it is package-aligned or triggered by explicit CLI workflows rather than a concrete malicious chain. Warn rather than block.
Evidence
package.jsonscripts/pin-xmtp-bindings.cjsdist/cron-QMLRWDJG.jsdist/index.jsdist/agent-UNSW5IPO.jsnode_modules/@xmtp/node-bindings

Decision evidence

public snapshot
AI called this Suspicious at 87.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `package.json` runs `scripts/pin-xmtp-bindings.cjs` during `postinstall`.
  • `scripts/pin-xmtp-bindings.cjs` executes forced `npm install` at install time.
  • The postinstall recursively removes nested `@xmtp/node-bindings` directories in its install tree.
  • `dist/cron-QMLRWDJG.js` creates OpenClaw cron jobs that run every 15 minutes and hourly.
  • `dist/index.js` invokes cron registration after explicit fund creation/join commands.
  • `dist/agent-UNSW5IPO.js` spawns a fixed local TradingView MCP binary with inherited environment.
Evidence against
  • Postinstall behavior is transparent, constrained to XMTP dependency pinning, and exits without blocking install.
  • No source evidence of credential harvesting or exfiltration.
  • No remote payload URL, eval/vm execution, or arbitrary shell interpolation was found.
  • OpenClaw mutation uses fixed executable arguments and only occurs after user-invoked fund workflows.
  • Cron removal is provided by the explicit `fund leave` command.
  • Config secrets are saved only through explicit `config set` options.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 41 file(s), 1.16 MB of source, external domains: api.alternative.me, api.binance.com, api.coingecko.com, api.dexscreener.com, api.hyperliquid.xyz, api.llama.fi, api.messari.io, api.nansen.ai, api.twitter.com, api.venice.ai, app.sherwood.sh, base-rpc.publicnode.com, basescan.org, coins.llama.fi, developers.uniswap.org, docs.venice.ai, eips.ethereum.org, explorer.testnet.chain.robinhood.com, fapi.binance.com, hyperliquid.cloud.blockscout.com, mainnet.base.org, merkl.angle.money, robinhoodchain.blockscout.com, rpc.hyperliquid.xyz, rpc.mainnet.chain.robinhood.com, rpc.testnet.chain.robinhood.com, sherwood.mypinata.cloud, sherwood.sh, spectator.sherwood.sh, stablecoins.llama.fi, testnet.app.sherwood.sh, trade-api.gateway.uniswap.org, www.sherwood.sh, yields.llama.fi

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/pin-xmtp-bindings.cjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
dist/cron-QMLRWDJG.jsView file
1// src/lib/cron.ts L2: import { execFileSync } from "child_process"; L3: var _isOpenClaw = null;
High
Child Process

Package source references child process execution.

dist/cron-QMLRWDJG.jsView on unpkg · L1
dist/agent-UNSW5IPO.jsView file
69try { L70: const res = await fetch(`https://api.llama.fi/tvl/${encodeURIComponent(protocol)}`); L71: if (!res.ok) throw new Error(`DefiLlama tvl error: ${res.status} ${res.statusText}`); L72: const data = await res.json(); L73: return data; ... L171: constructor() { L172: this.cacheDir = join(homedir(), ".sherwood", "agent", "cache", "coingecko"); L173: this.apiKey = process.env.COINGECKO_API_KEY; L174: if (this.apiKey) { ... L281: async getPrice(ids, vsCurrencies = ["usd"]) { L282: const params = new URLSearchParams({ L283: ids: ids.join(","),
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/agent-UNSW5IPO.jsView on unpkg · L69
scripts/pin-xmtp-bindings.cjsView file
47L48: const { execSync } = require("node:child_process"); L49: const fs = require("node:fs"); ... L55: `cd $(dirname $(readlink -f $(which sherwood)))/../lib/node_modules/@sherwoodagent/cli && ` + L56: `npm install --no-save --force ${PINNED}`; L57:
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

scripts/pin-xmtp-bindings.cjsView on unpkg · L47
dist/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @sherwoodagent/cli@0.73.2 matchedIdentity = npm:QHNoZXJ3b29kYWdlbnQvY2xp:0.73.2 similarity = 0.854 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/index.jsView on unpkg

Findings

1 Critical4 High3 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/index.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/cron-QMLRWDJG.js
HighShell
HighRuntime Package Installscripts/pin-xmtp-bindings.cjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/agent-UNSW5IPO.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings