registry  /  @soloco/client  /  0.1.1

@soloco/client@0.1.1

Soloco 本地客户端 daemon — local-first 长期使命型 agent 操作系统的本地执行权威

AI Security Review

scanned 10d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The package is a local Soloco daemon/CLI that can run local agent tools and sync after account authentication, but those behaviors are aligned with its stated function and mostly user/runtime-triggered.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
global install may auto-start local daemon; CLI/runtime actions trigger agent execution and optional cloud sync
Impact
No confirmed unconsented exfiltration, persistence, destructive action, or agent control-surface hijack
Mechanism
local daemon orchestration with authenticated cloud sync
Rationale
Static inspection shows risky primitives, but they are part of an advertised local agent daemon and are gated or user/auth-triggered rather than hidden malicious behavior. The scanner's command-output exfiltration concern is mitigated by local_only defaults, syncable selection, auth requirement, and redaction paths in dist/cli.js.
Evidence
package.jsonpostinstall.mjswelcome-banner.mjsdist/cli.js~/.soloco/auth.json~/.soloco/daemon.db~/.soloco/files~/.soloco/daemon-token~/.soloco/daemon.pid~/.soloco/daemon.log~/.soloco/trusted-roots.json
Network endpoints4
soloco.cloudregistry.npmjs.org127.0.0.1:<SOLOCO_DAEMON_PORT>localhost:<SOLOCO_DAEMON_PORT>

Decision evidence

public snapshot
AI called this Clean at 82.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • package.json defines postinstall: node postinstall.mjs
  • postinstall.mjs can spawn dist/cli.js start on interactive global installs
  • dist/cli.js contains runtime command spawning for agent CLIs
  • dist/cli.js can sync authenticated syncable data to https://soloco.cloud
Evidence against
  • postinstall.mjs gates auto-start to npm_config_global=true, TTY, non-CI, non-SSH, display, with SOLOCO_NO_AUTO_START opt-out
  • No install-time credential/env/file harvesting or network calls found in postinstall.mjs
  • dist/cli.js network endpoints are package-aligned account auth/cloud sync/update/local daemon routes
  • runProcess strips known provider credentials and secret-shaped env vars before agent subprocesses
  • runtime stdout/stderr is redacted before persistence/sync; telemetry defaults local_only
  • Workspace access is user-invoked and constrained by allowed roots/protected-location checks
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
Manifest
NoLicense
scanned 4 file(s), 1.75 MB of source, external domains: 127.0.0.1, code.claude.com, github.com, json-schema.org, react.dev, registry.npmjs.org, soloco.cloud, www.w3.org

Source & flagged code

8 flagged · loading source
package.jsonView file
scripts.postinstall = node postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/cli.jsView file
30import { join } from "path"; L31: var solocoHome = join(homedir(), ".soloco"); L32: var DEFAULT_DAEMON_CONFIG = { ... L50: authFile: join(solocoHome, "auth.json"), L51: serverBaseUrl: "https://soloco.cloud" L52: }, ... L127: function stringDefault(envKey, fallback) { L128: const raw = process.env[envKey]?.trim(); L129: return raw ? raw : fallback; ... L153: async write(content) { L154: return await this.writeBytes(Buffer.from(content, "utf8")); L155: },
Critical
Command Output Exfiltration

Source executes local commands and sends command output to an external endpoint.

dist/cli.jsView on unpkg · L30
30Trigger-reachable chain: manifest.bin -> dist/cli.js L30: import { join } from "path"; L31: var solocoHome = join(homedir(), ".soloco"); L32: var DEFAULT_DAEMON_CONFIG = { ... L50: authFile: join(solocoHome, "auth.json"), L51: serverBaseUrl: "https://soloco.cloud" L52: }, ... L127: function stringDefault(envKey, fallback) { L128: const raw = process.env[envKey]?.trim(); L129: return raw ? raw : fallback; ... L153: async write(content) { L154: return await this.writeBytes(Buffer.from(content, "utf8")); L155: },
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/cli.jsView on unpkg · L30
17341// src/adapters/process.ts L17342: import { spawn } from "child_process"; L17343:
High
Child Process

Package source references child process execution.

dist/cli.jsView on unpkg · L17341
17372root, L17373: `${root}\\System32\\WindowsPowerShell\\v1.0` L17374: ];
High
Shell

Package source references shell execution.

dist/cli.jsView on unpkg · L17372
30import { join } from "path"; L31: var solocoHome = join(homedir(), ".soloco"); L32: var DEFAULT_DAEMON_CONFIG = { ... L50: authFile: join(solocoHome, "auth.json"), L51: serverBaseUrl: "https://soloco.cloud" L52: }, ... L127: function stringDefault(envKey, fallback) { L128: const raw = process.env[envKey]?.trim(); L129: return raw ? raw : fallback; ... L153: async write(content) { L154: return await this.writeBytes(Buffer.from(content, "utf8")); L155: },
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/cli.jsView on unpkg · L30
postinstall.mjsView file
17Cross-file remote execution chain: postinstall.mjs spawns dist/cli.js; helper contains network access plus dynamic code execution. L17: L18: import { spawn } from 'node:child_process'; L19: import { readFileSync } from 'node:fs'; ... L30: // Read our own version for the banner. Best-effort: a missing/garbled L31: // package.json just drops the version line, never throws. L32: function readVersion() { ... L37: ); L38: return JSON.parse(readFileSync(pkgPath, 'utf8')).version || ''; L39: } catch { ... L46: // dev `pnpm install` (local workspace), `npx` (temp install), and being pulled L47: // in as a dependency — none set npm[redacted]=true. L48: if (process.env.npm[redacted] === 'true') {
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

postinstall.mjsView on unpkg · L17

Findings

2 Critical4 High4 Medium7 Low
CriticalCommand Output Exfiltrationdist/cli.js
CriticalTrigger Reachable Dangerous Capabilitydist/cli.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/cli.js
HighShelldist/cli.js
HighCross File Remote Execution Contextpostinstall.mjs
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/cli.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNo License