registry  /  @venos-inc/venos  /  0.1.14

@venos-inc/venos@0.1.14

Self-service CLI for venos — wire your AI client to the venos security gateway in one command.

AI Security Review

scanned 8d ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package is an AI security gateway CLI that can wire broad AI-agent configs and optional heartbeat/inventory persistence when the user runs its commands. No install-time or import-time attack behavior was found.

Static reason
One or more suspicious static signals were detected.
Trigger
User invokes `venos init`, `venos heartbeat`, scan commands, or MCP tools
Impact
Can route AI client traffic through venos and report local AI tool/skill/MCP/document inventory to a configured venos orchestrator.
Mechanism
User-invoked agent configuration, local service setup, and inventory upload
Rationale
Static inspection shows powerful but package-aligned, user-invoked AI gateway setup with optional persistence/inventory reporting, and no npm install hook or automatic import-time mutation. Because it can lifecycle-manage broad agent integrations and recurring heartbeat/inventory under explicit CLI control, warn-level agent extension lifecycle risk is more appropriate than a publish block.
Evidence
package.jsondist/index.jsREADME.mdetc/mcp-server/client.jsetc/mcp-server/tools.js~/.claude/settings.json~/Library/Application Support/Claude/claude_desktop_config.json~/.cursor/mcp.json~/.codex/config.toml~/.codex/hooks.json~/.codeium/windsurf/mcp_config.json~/.config/Code/User/globalStorage/saoudrizwan.claude-dev/settings/cline_mcp_settings.json~/.config/zed/settings.json~/.junie/mcp/mcp.json~/.aider.conf.yml~/.vscode/settings.json~/.venos/config.json~/.venos/service.json~/Library/LaunchAgents/ai.venos.agent.plist~/.config/systemd/user/venos-heartbeat.timer
Network endpoints8
127.0.0.1:4000/v1/api/finops/pricing/api/finops/session-waste/v1/inventory/mcp/v1/inventory/skills/v1/inventory/skill-findings/v1/inventory/heartbeat/v1/inventory/uninstall

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/index.js defines user-invoked wiring for Claude/Codex/Cursor/Windsurf/Cline/Zed/JetBrains/Aider configs.
  • dist/index.js can install LaunchAgent/systemd timer/schtasks heartbeat persistence via CLI code.
  • Heartbeat/inventory code uploads MCP servers, Claude skills/plugins, agent inventory, documents to configured orchestrator.
Evidence against
  • package.json has no install/postinstall/preinstall lifecycle hook; prepublishOnly is publisher-side only.
  • Agent config mutations are behind the `venos init` CLI path, not automatic on package install or import.
  • Network destinations are configured/local venos gateway URLs and package-aligned inventory/hook endpoints.
  • Child process use is mostly platform service commands, trivy/skillspector scanners, and bundled CLI helpers.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 11 file(s), 164 KB of source, external domains: 127.0.0.1, aquasecurity.github.io, www.apple.com

Source & flagged code

4 flagged · loading source
dist/index.jsView file
45`:`${Le} L46: `;return g(n,o),{status:"wired",path:n}}import{execFileSync as ms}from"node:child_process";import{existsSync as sn,mkdirSync as ns,rmSync as rs,writeFileSync as os}from"node:fs";im... L47: `,"utf8")}function V(e){let t=He(e);return on(t)?(Zo(t,{force:!0}),!0):!1}function F(e){return on(He(e))}function an(e){return is(e,"Library","LaunchAgents",`${De}.plist`)}function...
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L45
93WantedBy=timers.target L94: `}var fn={platform:"linux",install(e){let t=pn(e.home),n=X(t,ue);try{let r=le(n);return ls(t,{recursive:!0}),un(X(t,dn),us(e.nodePath,e.cliEntry),"utf8"),un(n,ds(),"utf8"),e.run("s... L95: `,"utf8")}catch{}}function ti(e){let t;try{t=JSON.parse(e)}catch{return e}if(typeof t!="object"||t===null||Array.isArray(t))return e;let n=t,r=n.transcript_path;if(typeof r!="strin... L96: `,"utf8"),n}catch{return""}}function li(e,t,n){if(t===""&&n==="")return e;let r;try{r=JSON.parse(e)}catch{return e}if(typeof r!="object"||r===null||Array.isArray(r))return e;let o=... L97: `),process.exit(1))}function Dn(e,t,n,r){let o=mi(e,t,n,r);o.stdout!==""&&process.stdout.write(o.stdout),o.stderr!==""&&process.stderr.write(o.stderr),o.exitCode!==void 0&&process....
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.jsView on unpkg · L93
93WantedBy=timers.target L94: `}var fn={platform:"linux",install(e){let t=pn(e.home),n=X(t,ue);try{let r=le(n);return ls(t,{recursive:!0}),un(X(t,dn),us(e.nodePath,e.cliEntry),"utf8"),un(n,ds(),"utf8"),e.run("s... L95: `,"utf8")}catch{}}function ti(e){let t;try{t=JSON.parse(e)}catch{return e}if(typeof t!="object"||t===null||Array.isArray(t))return e;let n=t,r=n.transcript_path;if(typeof r!="strin... L96: `,"utf8"),n}catch{return""}}function li(e,t,n){if(t===""&&n==="")return e;let r;try{r=JSON.parse(e)}catch{return e}if(typeof r!="object"||r===null||Array.isArray(r))return e;let o=... L97: `),process.exit(1))}function Dn(e,t,n,r){let o=mi(e,t,n,r);o.stdout!==""&&process.stdout.write(o.stdout),o.stderr!==""&&process.stderr.write(o.stderr),o.exitCode!==void 0&&process....
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.jsView on unpkg · L93
2import{readFileSync as tc}from"node:fs";import{homedir as U}from"node:os";import{chmodSync as rr,existsSync as sr,mkdirSync as Ci,readFileSync as Oi,rmSync as xi,writeFileSync as b... L3: `}var H="http://127.0.0.1:4000/v1";var Gr="venos",Yr="venos hook",zr="venos usage-sync",Xr="venos usage-sync --throttle";function lt(e,t){return(e??[]).some(n=>n.hooks.some(r=>type... L4: `,i===t&&(o+=" ".repeat(s+n+2),o+=`^ ... L41: sibling: ${n} L42: If you are developing locally, run: pnpm --filter @venos/mcp-server build`)}import{existsSync as Do}from"node:fs";function Ho(e,t,n){let r=e.configPath(t);if(!e.isInstalled(t))retu... L43: ... L45: `:`${Le} L46: `;return g(n,o),{status:"wired",path:n}}import{execFileSync as ms}from"node:child_process";import{existsSync as sn,mkdirSync as ns,rmSync as rs,writeFileSync as os}from"node:fs";im... L47: `,"utf8")}function V(e){let t=He(e);return on(t)?(Zo(t,{force:!0}),!0):!1}function F(e){return on(He(e))}function an(e){return is(e,"Library","LaunchAgents",`${De}.plist`)}function... ... L75: </plist> L76: `}var cn={platform:"darwin",install(e){let t=an(e.home);try{let n=sn(t);ns(ss(t),{recursive:!0}),os(t,as(e.nodePath,e.cliEntry),"utf8");try{e.run(
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/index.jsView on unpkg · L2

Findings

4 High3 Medium6 Low
HighChild Processdist/index.js
HighShell
HighSame File Env Network Executiondist/index.js
HighCommand Output Exfiltrationdist/index.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/index.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License