registry  /  @venos-inc/venos  /  0.1.16

@venos-inc/venos@0.1.16

Self-service CLI for venos — wire your AI client to the venos security gateway in one command.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. User-invoked CLI setup can alter supported AI-client configurations and install an optional recurring heartbeat. Enabled commands and hooks collect AI workflow, host, inventory, usage, or selected document data and report it to a user-configured Venos gateway. No unconsented install-time execution or hidden endpoint was established.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `venos init`, `heartbeat`, or explicit scan/sync commands; configured AI-client hooks may invoke bundled components.
Impact
A user who configures the tool authorizes broad access to supported AI-client configuration and enabled scan data, plus transmission to the supplied gateway.
Mechanism
Explicit agent configuration, optional heartbeat persistence, and configured-gateway telemetry/policy reporting.
Rationale
The package is not conclusively malicious under the install-control-surface boundary because sensitive actions are user-invoked rather than preinstall/install/postinstall behavior. It warrants a warning for broad AI-agent lifecycle integration, optional persistence, and telemetry collection.
Evidence
package.jsonREADME.mddist/index.jsetc/mcp-server/client.jsetc/mcp-server/wrap-bin.jsetc/mcp-server/wrap.js`~/.venos/config.json``~/.venos/machine-id`AI-client config/rules files under the user's home directoryuser-level systemd unit / Windows Scheduled Task / macOS launchd state
Network endpoints2
caller-supplied `--orchestrator` URL`http://localhost:8788`

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `dist/index.js` wires AI-client MCP/hook/rules configs through explicit `venos init`.
  • `dist/index.js` stores supplied gateway credentials in `~/.venos/config.json` and reports hooks, usage, inventory, and heartbeat data.
  • `dist/index.js` optionally creates user-level recurring heartbeat persistence via systemd, Scheduled Tasks, or launchd.
  • `etc/mcp-server/client.js` uploads user-selected document bytes to the configured Venos API.
  • `etc/mcp-server/wrap-bin.js` launches an explicitly configured wrapped MCP server and intercepts its tool calls for policy checks.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall` lifecycle hook.
  • No import-time execution: `dist/index.js` is the `venos` bin entrypoint.
  • Network targets derive from supplied orchestrator configuration; inspected code has no hidden hard-coded third-party collection host.
  • README documents the sensitive setup and scan behavior as explicit user commands.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
NoLicense
scanned 19 file(s), 257 KB of source, external domains: 127.0.0.1, api.openai.com, app.venos.ai, aquasecurity.github.io, chromewebstore.google.com, www.apple.com

Source & flagged code

6 flagged · loading source
dist/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @venos-inc/venos@0.1.15 matchedIdentity = npm:QHZlbm9zLWluYy92ZW5vcw:0.1.15 similarity = 0.611 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/index.jsView on unpkg
1#!/usr/bin/env node L2: import{readFileSync as Lf}from"node:fs";import{homedir as B}from"node:os";import{chmodSync as Cs,existsSync as bs,mkdirSync as qu,readFileSync as Zu,rmSync as Qu,writeFileSync as e... L3: `,"utf8"),r}catch{return""}}function x(e=process.platform,t=wi){if(e==="darwin")try{let n=t().trim();if(n!=="")return n.endsWith(".local")?n:`${n}.local`}catch{}try{let n=ki();retu...
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L1
1#!/usr/bin/env node L2: import{readFileSync as Lf}from"node:fs";import{homedir as B}from"node:os";import{chmodSync as Cs,existsSync as bs,mkdirSync as qu,readFileSync as Zu,rmSync as Qu,writeFileSync as e... L3: `,"utf8"),r}catch{return""}}function x(e=process.platform,t=wi){if(e==="darwin")try{let n=t().trim();if(n!=="")return n.endsWith(".local")?n:`${n}.local`}catch{}try{let n=ki();retu... L4: `}var fe="http://127.0.0.1:4000/v1";var ji="venos",Hi="venos hook",$i="venos usage-sync",Mi="venos usage-sync --throttle";function wn(e,t){return(e??[]).some(n=>n.hooks.some(r=>typ...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.jsView on unpkg · L1
173WantedBy=timers.target L174: `}var co={platform:"linux",install(e){let t=ao(e.home),n=Pe(t,Ve);try{let r=Ke(n);return tl(t,{recursive:!0}),so(Pe(t,io),nl(e.nodePath,e.cliEntry),"utf8"),so(n,rl(),"utf8"),e.run(... L175: `}function El(e,t,n,r){if(r==="win32"){ze(e,`@echo off\r
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.jsView on unpkg · L173
1#!/usr/bin/env node L2: import{readFileSync as Lf}from"node:fs";import{homedir as B}from"node:os";import{chmodSync as Cs,existsSync as bs,mkdirSync as qu,readFileSync as Zu,rmSync as Qu,writeFileSync as e... L3: `,"utf8"),r}catch{return""}}function x(e=process.platform,t=wi){if(e==="darwin")try{let n=t().trim();if(n!=="")return n.endsWith(".local")?n:`${n}.local`}catch{}try{let n=ki();retu... L4: `}var fe="http://127.0.0.1:4000/v1";var ji="venos",Hi="venos hook",$i="venos usage-sync",Mi="venos usage-sync --throttle";function wn(e,t){return(e??[]).some(n=>n.hooks.some(r=>typ... ... L45: }); L46: return typeof res.stdout === "string" ? res.stdout : ""; L47: } catch { ... L110: `}var Xn={name:"opencode-hook",transport:"claude-hook",configPath(e){return zn(e,".config","opencode","plugin","venos.js")},isInstalled(e){return bt(zn(e,".config","opencode"))},lo... L111: `)}};import{existsSync as Tt,readFileSync as qa}from"node:fs";import{join as mr}from"node:path";function gr(e){let t=e.mcpServers?.venos;if(!t||t.command!=="node")return!1;let n=t.... L112: # venos-managed cline hook - do not edit; wired by \`venos init\` ... L155: </plist> L156: `}var ro={platform:"darwin",install(e){le
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/index.jsView on unpkg · L1
1#!/usr/bin/env node L2: import{readFileSync as Lf}from"node:fs";import{homedir as B}from"node:os";import{chmodSync as Cs,existsSync as bs,mkdirSync as qu,readFileSync as Zu,rmSync as Qu,writeFileSync as e... L3: `,"utf8"),r}catch{return""}}function x(e=process.platform,t=wi){if(e==="darwin")try{let n=t().trim();if(n!=="")return n.endsWith(".local")?n:`${n}.local`}catch{}try{let n=ki();retu... L4: `}var fe="http://127.0.0.1:4000/v1";var ji="venos",Hi="venos hook",$i="venos usage-sync",Mi="venos usage-sync --throttle";function wn(e,t){return(e??[]).some(n=>n.hooks.some(r=>typ... ... L45: }); L46: return typeof res.stdout === "string" ? res.stdout : ""; L47: } catch { ... L110: `}var Xn={name:"opencode-hook",transport:"claude-hook",configPath(e){return zn(e,".config","opencode","plugin","venos.js")},isInstalled(e){return bt(zn(e,".config","opencode"))},lo... L111: `)}};import{existsSync as Tt,readFileSync as qa}from"node:fs";import{join as mr}from"node:path";function gr(e){let t=e.mcpServers?.venos;if(!t||t.command!=="node")return!1;let n=t.... L112: # venos-managed cline hook - do not edit; wired by \`venos init\` ... L155: </plist> L156: `}var ro={platform:"darwin",install(e){le
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/index.jsView on unpkg · L1

Findings

1 Critical4 High4 Medium7 Low
CriticalPrevious Version Dangerous Deltadist/index.js
HighChild Processdist/index.js
HighShell
HighSame File Env Network Executiondist/index.js
HighCommand Output Exfiltrationdist/index.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/index.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License