registry  /  @simonyea/holysheep-cli  /  2.1.103

@simonyea/holysheep-cli@2.1.103

Claude Code/Cursor/Cline API relay for China — ¥1=$1, WeChat/Alipay payment, no credit card, no VPN. One command setup for all AI coding tools.

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established by source inspection. The package is a CLI for configuring AI coding tools to use HolySheep relay endpoints, with user-invoked local config writes and installer launches.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs hs commands such as login, setup, web, upgrade, or claude
Impact
Local AI tool settings and shell environment may be changed when the user invokes setup/web actions; no unconsented exfiltration confirmed
Mechanism
Package-aligned CLI configuration, local proxying, and optional tool installation
Rationale
Scanner findings are explained by the package's stated purpose: configuring AI coding tools and proxying requests through HolySheep. I found no install-time execution, unrelated exfiltration endpoint, hidden payload, or unconsented AI-agent control-surface mutation.
Evidence
package.jsondist/index.jsdist/configure-worker.js~/.holysheep/config.jsonshell rc files such as ~/.zshrc or ~/.bashrcAI tool config files for Claude/Codex/OpenCode/OpenClaw/Droid/Qwen/CodeBuddy
Network endpoints7
api.holysheep.aiapi.holysheep.ai/v1api.holysheep.ai/claude-relayholysheep.aiwww.holysheep.ai/api/stats/overviewregistry.npmjs.org/@simonyea/holysheep-cli/latestwww.holysheep.ai/app/desktop/aionui-runtime-v1.9.18-holysheep-hs38.tar.gz

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/index.js web doctor route returns selected env var values to local HTTP response
  • dist/index.js/dist/configure-worker.js can write AI tool configs, shell rc/env vars, and spawn installer commands from user-invoked setup/web/upgrade flows
  • dist/index.js downloads/launches bundled AionUI runtime from holysheep URL with sha256 check
Evidence against
  • package.json has no install/postinstall/prepare lifecycle; only prepublishOnly for publishing
  • bin/main dist/index.js exposes CLI commands; risky actions are behind explicit login/setup/web/upgrade/claude commands
  • dist/index.js login validates user API key only against https://api.holysheep.ai/v1/models and saves it under ~/.holysheep/config.json
  • dist/index.js removes HOLYSHEEP_API_KEY before spawning AionUI runtime
  • network hosts are package-aligned: holysheep.ai API/site, npm registry version check, documented tool installers
  • No evidence of credential harvesting to unrelated endpoint, persistence outside declared tool config, or import/install-time execution
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 718 KB of source, external domains: 127.0.0.1, aistudio.google.com, api.holysheep.ai, app.factory.ai, bun.sh, claude.ai, developers.openai.com, docs.anthropic.com, docs.factory.ai, docs.openclaw.ai, gitee.com, github.com, hermes-agent.nousresearch.com, holysheep.ai, mail.holysheep.ai, nodejs.org, opencode.ai, qwenlm.github.io, raw.githubusercontent.com, registry.npmjs.org, registry.npmmirror.com, www.codebuddy.ai, www.holysheep.ai

Source & flagged code

10 flagged · loading source
dist/configure-worker.jsView file
1082var fs = require("fs"); L1083: var { exec, execSync, execFileSync } = require("child_process"); L1084: function canRun(command, options = {}) {
High
Child Process

Package source references child process execution.

dist/configure-worker.jsView on unpkg · L1082
1154const out = execFileSync( L1155: "powershell.exe", L1156: ["-NoProfile", "-ExecutionPolicy", "Bypass", "-Command", "[Environment]::GetEnvironmentVariable('Path', 'User')"],
High
Shell

Package source references shell execution.

dist/configure-worker.jsView on unpkg · L1154
14Cross-file remote execution chain: dist/configure-worker.js spawns dist/process-proxy-inject.js; helper contains network access plus dynamic code execution. L14: var os = require("os"); L15: var CONFIG_DIR = path.join(os.homedir(), ".holysheep"); L16: var CONFIG_FILE = path.join(CONFIG_DIR, "config.json"); L17: var BASE_URL_ANTHROPIC = "https://api.holysheep.ai"; L18: var BASE_URL_OPENAI = "https://api.holysheep.ai/v1"; L19: var BASE_URL_CLAUDE_RELAY = process.env.HOLYSHEEP_CLAUDE_RELAY_URL || "https://api.holysheep.ai/claude-relay"; L20: var SHOP_URL = "https://holysheep.ai"; ... L29: if (fs.existsSync(CONFIG_FILE)) { L30: return JSON.parse(fs.readFileSync(CONFIG_FILE, "utf8")); L31: } ... L280: headers: { "content-type": "application/json" }, L281: body: JSON.stringify(requestBody)
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/configure-worker.jsView on unpkg · L14
3326if (hasNpx()) { L3327: return { cmd: "npx", argsPrefix: ["openclaw"], shell: isWin, label: "npx openclaw", via: "npx" }; L3328: } ... L3335: function runWithRunner(runner, args, opts = {}) { L3336: return spawnSync(runner.cmd, [...runner.argsPrefix, ...args], { L3337: shell: runner.shell,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/configure-worker.jsView on unpkg · L3326
14var os = require("os"); L15: var CONFIG_DIR = path.join(os.homedir(), ".holysheep"); L16: var CONFIG_FILE = path.join(CONFIG_DIR, "config.json"); L17: var BASE_URL_ANTHROPIC = "https://api.holysheep.ai"; L18: var BASE_URL_OPENAI = "https://api.holysheep.ai/v1"; L19: var BASE_URL_CLAUDE_RELAY = process.env.HOLYSHEEP_CLAUDE_RELAY_URL || "https://api.holysheep.ai/claude-relay"; L20: var SHOP_URL = "https://holysheep.ai"; ... L29: if (fs.existsSync(CONFIG_FILE)) { L30: return JSON.parse(fs.readFileSync(CONFIG_FILE, "utf8")); L31: } ... L280: headers: { "content-type": "application/json" }, L281: body: JSON.stringify(requestBody)
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/configure-worker.jsView on unpkg · L14
dist/index.jsView file
7400var os = require("os"); L7401: var http = require("http"); L7402: var { spawn, execSync, execFileSync } = require("child_process"); L7403: var chalk2 = require("chalk"); ... L7415: var { getApiKey } = require_config(); L7416: var HS_DIR = process.env.HOLYSHEEP_DIR || path.join(os.homedir(), ".holysheep"); L7417: var PID_FILE = path.join(HS_DIR, "claude-proxy.pid");
Critical
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution with blocking evidence.

dist/index.jsView on unpkg · L7400
9L10: // package.json L11: var require_package = __commonJS({ ... L61: ], L62: homepage: "https://holysheep.ai", L63: repository: { ... L106: var os = require("os"); L107: var CONFIG_DIR = path.join(os.homedir(), ".holysheep"); L108: var CONFIG_FILE = path.join(CONFIG_DIR, "config.json"); ... L110: var BASE_URL_OPENAI = "https://api.holysheep.ai/v1"; L111: var BASE_URL_CLAUDE_RELAY = process.env.HOLYSHEEP_CLAUDE_RELAY_URL || "https://api.holysheep.ai/claude-relay"; L112: var SHOP_URL = "https://holysheep.ai";
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/index.jsView on unpkg · L9
9Trigger-reachable chain: manifest.main -> dist/index.js L9: L10: // package.json L11: var require_package = __commonJS({ ... L61: ], L62: homepage: "https://holysheep.ai", L63: repository: { ... L106: var os = require("os"); L107: var CONFIG_DIR = path.join(os.homedir(), ".holysheep"); L108: var CONFIG_FILE = path.join(CONFIG_DIR, "config.json"); ... L110: var BASE_URL_OPENAI = "https://api.holysheep.ai/v1"; L111: var BASE_URL_CLAUDE_RELAY = process.env.HOLYSHEEP_CLAUDE_RELAY_URL || "https://api.holysheep.ai/claude-relay"; L112: var SHOP_URL = "https://holysheep.ai";
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.jsView on unpkg · L9
9L10: // package.json L11: var require_package = __commonJS({ ... L61: ], L62: homepage: "https://holysheep.ai", L63: repository: { ... L106: var os = require("os"); L107: var CONFIG_DIR = path.join(os.homedir(), ".holysheep"); L108: var CONFIG_FILE = path.join(CONFIG_DIR, "config.json"); ... L110: var BASE_URL_OPENAI = "https://api.holysheep.ai/v1"; L111: var BASE_URL_CLAUDE_RELAY = process.env.HOLYSHEEP_CLAUDE_RELAY_URL || "https://api.holysheep.ai/claude-relay"; L112: var SHOP_URL = "https://holysheep.ai";
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/index.jsView on unpkg · L9
dist/pty-hermes-wrapper.pyView file
path = dist/pty-hermes-wrapper.py kind = build_helper sizeBytes = 6726 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

dist/pty-hermes-wrapper.pyView on unpkg

Findings

3 Critical5 High5 Medium5 Low
CriticalSame File Env Network Executiondist/index.js
CriticalCredential Exfiltrationdist/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
HighChild Processdist/configure-worker.js
HighShelldist/configure-worker.js
HighSandbox Evasion Gated Capabilitydist/index.js
HighCross File Remote Execution Contextdist/configure-worker.js
HighRuntime Package Installdist/configure-worker.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/configure-worker.js
MediumShips Build Helperdist/pty-hermes-wrapper.py
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings