registry  /  @voko/lite  /  0.3.2

@voko/lite@0.3.2

VOKO Lite — 纯 Node.js 轻量版,通过 MCP 供 agent 使用

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack surface was established. The main residual risk is an obfuscated agent/MCP-facing package with lifecycle native dependency installation and runtime messaging/network integrations.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install runs postinstall; voko CLI/runtime starts services and handlers
Impact
Potential lifecycle supply-chain risk and broad runtime agent capability surface, but no confirmed unconsented control-surface hijack or exfiltration
Mechanism
install-time native dependency install plus user-invoked MCP/messaging runtime
Policy narrative
On install the package runs scripts/build-native.js, which creates a package-local native directory and invokes npm to install better-sqlite3. At runtime, the obfuscated voko CLI starts a local MCP/Express service, uses a VOKO SQLite database/logs under user config paths, and can connect to configured messaging backends such as Feishu, Telegram, OpenClaw/Hermes, and WukongIM. These are risky capabilities, but inspection did not find lifecycle mutation of foreign AI-agent surfaces, credential harvesting, destructive persistence, or install-time exfiltration.
Rationale
The scanner's malicious-looking primitives are mostly explained by an obfuscated MCP/agent runtime and native dependency bootstrap; the lifecycle hook does not plant agent instructions or harvest data. Because the package is an agent/MCP platform with install-time maintenance and broad runtime capability, warning is appropriate rather than blocking.
Evidence
package.jsonscripts/build-native.jsdist/index.jsdist/preload.jsdist/core/notifier.jsdist/server/telegram-handler.jsdist/server/feishu-handler.jsnative/better-sqlite3native/better-sqlite3/build/Release/better_sqlite3.nodeuser config voko/wukongim.dbuser config voko/lite.log
Network endpoints6
registry.npmjs.org/@voko/lite/latestlocalhost:/mcpopen.feishu.cn/open-apis/auth/v3/tenant_access_token/internalapi.telegram.orgim.wukongim.comlocalhost:8642

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json runs postinstall node scripts/build-native.js.
  • scripts/build-native.js creates native/ and runs npm install better-sqlite3@12 --no-save --prefix native during install.
  • dist output is heavily javascript-obfuscator encoded, reducing auditability.
  • dist/index.js CLI can start local Express/MCP service, writes VOKO DB/logs under user config/home, and has user-invoked update/desktop start/stop process controls.
Evidence against
  • Postinstall is package-aligned native dependency setup for better-sqlite3, not credential harvesting or agent control-surface mutation.
  • No install-time writes to .mcp.json, CLAUDE.md, Claude/Codex/Cursor settings, shell startup files, VCS hooks, or OS autostart were found.
  • Network use appears runtime/product-aligned: MCP HTTP on localhost, Feishu/Telegram/OpenClaw/Hermes handlers, npm registry version check, and configured backend messaging.
  • dist/preload.js only rewrites require resolution for better-sqlite3 to package native path outside Electron.
  • dist/core/notifier.js child_process exec only plays local notification sounds by platform at runtime.
  • No source evidence of secret/env harvesting and exfiltration during install/import.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
Manifest
NoLicense
scanned 54 file(s), 1.26 MB of source, external domains: open.feishu.cn, qianfan.baidubce.com

Source & flagged code

7 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/build-native.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
dist/core/notifier.jsView file
1const a22_0x1dc0bb=a22_0x5812;(function(_0x5031eb,_0x377c9c){const _0x68e353=a22_0x5812,_0x475398=_0x5031eb();while(!![]){try{const _0x2cd42c=-parseInt(_0x68e353(0xde))/0x1+parseIn...
High
Child Process

Package source references child process execution.

dist/core/notifier.jsView on unpkg · L1
1const a22_0x1dc0bb=a22_0x5812;(function(_0x5031eb,_0x377c9c){const _0x68e353=a22_0x5812,_0x475398=_0x5031eb();while(!![]){try{const _0x2cd42c=-parseInt(_0x68e353(0xde))/0x1+parseIn...
High
Shell

Package source references shell execution.

dist/core/notifier.jsView on unpkg · L1
dist/preload.jsView file
1const a36_0x25907d=a36_0x2898;(function(_0x28ba3b,_0x50cf77){const _0x45af96=a36_0x2898,_0x46b719=_0x28ba3b();while(!![]){try{const _0x48f7d3=-parseInt(_0x45af96(0xca))/0x1+parseIn...
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/preload.jsView on unpkg · L1
1const a36_0x25907d=a36_0x2898;(function(_0x28ba3b,_0x50cf77){const _0x45af96=a36_0x2898,_0x46b719=_0x28ba3b();while(!![]){try{const _0x48f7d3=-parseInt(_0x45af96(0xca))/0x1+parseIn...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/preload.jsView on unpkg · L1
dist/index.jsView file
2L3: const a32_0x5b31cb=a32_0x3db9;(function(_0x6bb412,_0x396230){const _0x1e414f=a32_0x3db9,_0x5466ce=_0x6bb412();while(!![]){try{const _0x32825e=-parseInt(_0x1e414f(0x26b))/0x1*(parse...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.jsView on unpkg · L2
scripts/build-native.jsView file
4* L5: * better-sqlite3 官方提供预编译二进制,npm install 时自动下载。 L6: * 仅当无对应版本预编译包时,才需要 Python + C++ 编译器。 ... L11: const path = require('path'); L12: const { execSync } = require('child_process'); L13:
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

scripts/build-native.jsView on unpkg · L4

Findings

7 High4 Medium6 Low
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/core/notifier.js
HighShelldist/core/notifier.js
HighSame File Env Network Executiondist/index.js
HighObfuscated Payload Loaderdist/preload.js
HighRuntime Package Installscripts/build-native.js
HighObfuscated
MediumDynamic Requiredist/preload.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License