registry  /  @venos-inc/venos  /  0.1.15

@venos-inc/venos@0.1.15

Self-service CLI for venos — wire your AI client to the venos security gateway in one command.

AI Security Review

scanned 8d ago · by lpm-firewall-ai

No install-time attack is confirmed, but the CLI has high-risk agent-control and persistence behavior after explicit init. It rewrites multiple AI client configs and installs a recurring heartbeat that uploads inventory to the configured Venos gateway.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `venos init` or later `venos heartbeat`/scheduled heartbeat.
Impact
Routes agent tool calls through Venos controls, persists a heartbeat, uploads host/agent/MCP/skill/document inventory, and may auto-update from orchestrator policy.
Mechanism
user-invoked AI client wiring plus persistent telemetry service
Attack narrative
The package is not activated at npm install. When a user runs `venos init`, it stores Venos config, rewrites several AI-agent control surfaces to call Venos hooks/MCP servers, adds rule-file directives, and installs an OS-level heartbeat service. That service reports health and inventory to the configured gateway and includes an orchestrator-controlled auto-update path. This is powerful and potentially risky, but source inspection shows it is package-aligned and user-invoked rather than a hidden lifecycle hijack.
Rationale
Because the broad agent-control writes and persistence are explicit CLI behavior with required init flags and no npm install-time execution, this does not meet the block threshold for malicious lifecycle hijack. The persistent telemetry and orchestrator-driven update capability warrant a warning.
Evidence
package.jsonREADME.mddist/index.jsetc/mcp-server/client.jsetc/mcp-server/tools.jsetc/session-waste/session-scanner.js~/.venos/config.json~/.venos/service.json~/.venos/heartbeat.last~/.venos/update-check.json~/.claude/settings.json~/.codex/config.toml~/.codex/hooks.json~/.cursor/mcp.json~/.codeium/windsurf/mcp_config.json~/.aider.conf.yml~/Library/LaunchAgents/ai.venos.agent.plist~/.config/systemd/user/venos-heartbeat.service~/.config/systemd/user/venos-heartbeat.timer
Network endpoints8
127.0.0.1:4000/v1localhost:8788/v1/inventory/heartbeat/v1/inventory/mcp/v1/inventory/skills/v1/inventory/agents/v1/inventory/documents/api/cli/policy

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/index.js wires Claude/Codex/Cursor/Windsurf/Cline/Zed/JetBrains/Aider configs and hooks on `venos init`.
  • dist/index.js installs persistent heartbeat via LaunchAgent, systemd user timer, or Windows scheduled task.
  • Heartbeat uploads host/inventory data and can run scan-mcp, scan-skills, scan-agents, scan-documents to configured orchestrator.
  • dist/index.js has server-policy auto-update path that can run npm install -g @venos-inc/venos@version.
  • CLI writes policy directives into .cursorrules/.windsurfrules/.clinerules and MCP/hook configs.
Evidence against
  • package.json has no install/postinstall/preinstall lifecycle hook; only prepublishOnly.
  • Activation requires explicit `venos init --orchestrator ... --org ...` with required flags.
  • README describes the product as wiring AI clients to a Venos security gateway and preserving existing content.
  • MCP server and hooks appear package-aligned for policy classification rather than credential theft.
  • No hardcoded attacker endpoint; network target is user-supplied orchestrator or localhost default.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 18 file(s), 207 KB of source, external domains: 127.0.0.1, aquasecurity.github.io, www.apple.com

Source & flagged code

5 flagged · loading source
dist/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @venos-inc/venos@0.1.13 matchedIdentity = npm:QHZlbm9zLWluYy92ZW5vcw:0.1.13 similarity = 0.444 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/index.jsView on unpkg
45`:`${Le} L46: `;return g(n,o),{status:"wired",path:n}}import{execFileSync as ms}from"node:child_process";import{existsSync as sn,mkdirSync as ns,rmSync as rs,writeFileSync as os}from"node:fs";im... L47: `,"utf8")}function V(e){let t=He(e);return on(t)?(Zo(t,{force:!0}),!0):!1}function F(e){return on(He(e))}function an(e){return is(e,"Library","LaunchAgents",`${De}.plist`)}function...
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L45
93WantedBy=timers.target L94: `}var fn={platform:"linux",install(e){let t=pn(e.home),n=X(t,ue);try{let r=le(n);return ls(t,{recursive:!0}),un(X(t,dn),us(e.nodePath,e.cliEntry),"utf8"),un(n,ds(),"utf8"),e.run("s... L95: `,"utf8")}catch{}}function ti(e){let t;try{t=JSON.parse(e)}catch{return e}if(typeof t!="object"||t===null||Array.isArray(t))return e;let n=t,r=n.transcript_path;if(typeof r!="strin... L96: `,"utf8"),n}catch{return""}}function li(e,t,n){if(t===""&&n==="")return e;let r;try{r=JSON.parse(e)}catch{return e}if(typeof r!="object"||r===null||Array.isArray(r))return e;let o=... L97: `),process.exit(1))}function Dn(e,t,n,r){let o=mi(e,t,n,r);o.stdout!==""&&process.stdout.write(o.stdout),o.stderr!==""&&process.stderr.write(o.stderr),o.exitCode!==void 0&&process....
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.jsView on unpkg · L93
93WantedBy=timers.target L94: `}var fn={platform:"linux",install(e){let t=pn(e.home),n=X(t,ue);try{let r=le(n);return ls(t,{recursive:!0}),un(X(t,dn),us(e.nodePath,e.cliEntry),"utf8"),un(n,ds(),"utf8"),e.run("s... L95: `,"utf8")}catch{}}function ti(e){let t;try{t=JSON.parse(e)}catch{return e}if(typeof t!="object"||t===null||Array.isArray(t))return e;let n=t,r=n.transcript_path;if(typeof r!="strin... L96: `,"utf8"),n}catch{return""}}function li(e,t,n){if(t===""&&n==="")return e;let r;try{r=JSON.parse(e)}catch{return e}if(typeof r!="object"||r===null||Array.isArray(r))return e;let o=... L97: `),process.exit(1))}function Dn(e,t,n,r){let o=mi(e,t,n,r);o.stdout!==""&&process.stdout.write(o.stdout),o.stderr!==""&&process.stderr.write(o.stderr),o.exitCode!==void 0&&process....
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.jsView on unpkg · L93
2import{readFileSync as tc}from"node:fs";import{homedir as U}from"node:os";import{chmodSync as rr,existsSync as sr,mkdirSync as Ci,readFileSync as Oi,rmSync as xi,writeFileSync as b... L3: `}var H="http://127.0.0.1:4000/v1";var Gr="venos",Yr="venos hook",zr="venos usage-sync",Xr="venos usage-sync --throttle";function lt(e,t){return(e??[]).some(n=>n.hooks.some(r=>type... L4: `,i===t&&(o+=" ".repeat(s+n+2),o+=`^ ... L41: sibling: ${n} L42: If you are developing locally, run: pnpm --filter @venos/mcp-server build`)}import{existsSync as Do}from"node:fs";function Ho(e,t,n){let r=e.configPath(t);if(!e.isInstalled(t))retu... L43: ... L45: `:`${Le} L46: `;return g(n,o),{status:"wired",path:n}}import{execFileSync as ms}from"node:child_process";import{existsSync as sn,mkdirSync as ns,rmSync as rs,writeFileSync as os}from"node:fs";im... L47: `,"utf8")}function V(e){let t=He(e);return on(t)?(Zo(t,{force:!0}),!0):!1}function F(e){return on(He(e))}function an(e){return is(e,"Library","LaunchAgents",`${De}.plist`)}function... ... L75: </plist> L76: `}var cn={platform:"darwin",install(e){let t=an(e.home);try{let n=sn(t);ns(ss(t),{recursive:!0}),os(t,as(e.nodePath,e.cliEntry),"utf8");try{e.run(
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/index.jsView on unpkg · L2

Findings

1 Critical4 High3 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/index.js
HighChild Processdist/index.js
HighShell
HighSame File Env Network Executiondist/index.js
HighCommand Output Exfiltrationdist/index.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/index.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License