registry  /  aiden-runtime  /  4.12.0

aiden-runtime@4.12.0

Local-first AI agent for Windows/WSL/Linux. Autonomous tool chaining across 14+ providers, offline via Ollama.

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is a local AI-agent runtime with expected local workspace initialization and user-invoked tools for shell, browser, and provider access.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install creates local workspace scaffolding; runtime CLI actions invoke agent tools.
Impact
No concrete unconsented credential theft, exfiltration, persistence, or destructive behavior found by static inspection.
Mechanism
package-aligned local agent runtime capabilities with permission checks
Rationale
Static inspection found high-risk primitives, but they are aligned with a local AI-agent runtime and gated or user-invoked; the install hook only creates/copies local starter workspace files. Scanner hits for secrets and Trojan Source are explained by documentation examples and intentional scanner regexes.
Evidence
package.jsonscripts/postinstall.jsscripts/uninstall.ps1dist/cli/v4/aidenCLI.jsdist/tools/v4/terminal/shellExec.jsdist/tools/v4/web/openUrl.jsdist/core/v4/util/spawnCommand.jsdist/core/recipeEngine.jsdist/moat/tirithScanner.jsworkspace-templates/SOUL.mdworkspace-templates/permissions.yamlskills/installed/infrastructure/SKILL.mdworkspace/sandboxworkspace/uploadsworkspace/artifactsworkspace/memoryworkspace/skillslogsworkspace/SOUL.md
Network endpoints4
eonet.gsfc.nasa.gov/api/v3api.anthropic.comchatgpt.com/backend-api/codexapi.openai.com/v1

Decision evidence

public snapshot
AI called this Clean at 84.0% confidence as Benign with high false-positive risk.
Evidence for block
  • package.json runs postinstall script on install.
  • scripts/postinstall.js creates workspace/* and copies workspace-templates/SOUL.md and starter skills on first install.
  • dist/tools/v4/terminal/shellExec.js exposes user-invoked shell execution as a dangerous tool.
  • dist/core/recipeEngine.js uses new Function for user recipe conditions.
Evidence against
  • scripts/postinstall.js performs only local mkdir/copy under package root; no network, shell, credential reads, or exfiltration.
  • dist/tools/v4/web/openUrl.js validates http/https URLs and launches OS browser with shell:false.
  • dist/core/v4/util/spawnCommand.js explicitly avoids shell injection and quotes Windows shim args.
  • dist/moat/tirithScanner.js contains Unicode scanner regexes intentionally detecting bidi/zero-width characters, not hidden control flow.
  • skills/installed/infrastructure/SKILL.md contains documented placeholder/example cloud secrets, not active credentials.
  • workspace-templates/permissions.yaml and shellExec preview deny/flag destructive shell patterns.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
CopyleftLicenseWildcardDependency
scanned 707 file(s), 6.11 MB of source, external domains: 127.0.0.1, ai-gateway.vercel.sh, ai.google.dev, aiden.ai, aiden.taracod.com, aistudio.google.com, api-docs.deepseek.com, api-inference.huggingface.co, api.anthropic.com, api.bayofassets.com, api.boa.ai, api.cerebras.ai, api.cloudflare.com, api.deepseek.com, api.duckduckgo.com, api.elevenlabs.io, api.example.com, api.github.com, api.githubcopilot.com, api.greynoise.io, api.groq.com, api.minimax.io, api.mistral.ai, api.moonshot.ai, api.moonshot.cn, api.openai.com, api.search.brave.com, api.shodan.io, api.ssllabs.com, api.taracod.com, api.telegram.org, api.together.xyz, api.z.ai, app.asana.com, app.slack.com, auth.openai.com, build.nvidia.com, cdn.jsdelivr.net, chatgpt.com, claude.ai, console.anthropic.com, console.groq.com, console.mistral.ai, crt.sh, cveawg.mitre.org, dash.cloudflare.com, devos.local, docs.anthropic.com, docs.google.com, docs.mistral.ai

Source & flagged code

20 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
skills/installed/infrastructure/SKILL.mdView file
146patternName = aws_access_key severity = critical line = 146 matchedText = accessKe...MPLE
Critical
Critical Secret

Package contains a critical-looking secret pattern.

skills/installed/infrastructure/SKILL.mdView on unpkg · L146
146patternName = aws_access_key severity = critical line = 146 matchedText = accessKe...MPLE
Critical
Secret Pattern

AWS access key ID in skills/installed/infrastructure/SKILL.md

skills/installed/infrastructure/SKILL.mdView on unpkg · L146
dist/tools/v4/web/openUrl.jsView file
33exports.isLaunchableUrl = isLaunchableUrl; L34: const node_child_process_1 = require("node:child_process"); L35: /** Resolve the launch command for the current platform. */
High
Child Process

Package source references child process execution.

dist/tools/v4/web/openUrl.jsView on unpkg · L33
dist/core/v4/util/spawnCommand.js#virtual:normalized:round1View file
18* which throws EINVAL on Windows when `cmd` resolves to `.cmd` / `.bat`. L19: * The naive fix — `shell: true` — would silently permit argument L20: * injection through MCP server config (user-supplied command line),
High
Shell

Package source references shell execution.

dist/core/v4/util/spawnCommand.js#virtual:normalized:round1View on unpkg · L18
dist/core/recipeEngine.jsView file
91// eslint-disable-next-line no-new-func L92: return new Function(`return ${resolved}`)(); L93: }
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/core/recipeEngine.jsView on unpkg · L91
dist/tools/eonetTool.jsView file
7exports.getEonetSummary = getEonetSummary; L8: const undici_1 = require("undici"); L9: const EONET_BASE = 'https://eonet.gsfc.nasa.gov/api/v3';
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/tools/eonetTool.jsView on unpkg · L7
dist/core/runSandbox.jsView file
1"use strict"; L2: // ============================================================
Medium
Unsafe Vm Context

Package source executes code through a VM context API.

dist/core/runSandbox.jsView on unpkg · L1
dist/core/memoryStrategy.jsView file
65constructor() { L66: this.filePath = path.join(process.cwd(), 'workspace', 'computer-use-memory.json'); L67: this.memory = []; ... L82: const raw = fs.readFileSync(this.filePath, 'utf8'); L83: this.memory = JSON.parse(raw); L84: } ... L135: this.save(); L136: await memoryLayers_1.memoryLayers.write(`ComputerUse memory stored (success): ${goal}`, ['computer_use', 'memory', 'success']); L137: }
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/core/memoryStrategy.jsView on unpkg · L65
dist/core/toolRegistry.jsView file
61// browser automation, file I/O, shell exec, and web utilities. L62: const child_process_1 = require("child_process"); L63: const util_1 = require("util"); ... L105: 'tsconfig.json', L106: 'package.json', L107: 'vitest.config.ts', ... L141: /\breg\s+(add|delete)/i, L142: /\bschtasks\s/i, L143: /\bwmic\s+process\s+call/i, ... L223: const reason = `[Security] ${lang} code blocked: "${opStr}" targeting "${pathStr}" — destructive operation on protected system path`; L224: process.stderr.write(reason + '\n'); L225: return { denied: true, reason };
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/core/toolRegistry.jsView on unpkg · L61
dist/cli/v4/commands/daemon.jsView file
499const cmd = [process.execPath, findBundlePath()]; L500: const child = (0, node_child_process_1.spawn)(cmd[0], cmd.slice(1), { L501: env: { ...process.env, AIDEN_DAEMON: '1' }, L502: stdio: 'ignore', ... L512: try { L513: const r = await getJson(`http://127.0.0.1:${port}/api/daemon/status`, 3000); L514: io.out(JSON.stringify(r, null, 2) + '\n');
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli/v4/commands/daemon.jsView on unpkg · L499
plugins/aiden-plugin-cdp-browser/lib/chromeLauncher.jsView file
14L15: const { spawn } = require('node:child_process'); L16: const fs = require('node:fs'); L17: const http = require('node:http'); L18: const os = require('node:os'); ... L29: * L30: * @param {NodeJS.Platform} sys — process.platform; defaults to current. L31: * @returns {string[]} ... L53: const bases = [ L54: process.env.ProgramFiles, L55: process.env['ProgramFiles(x86)'], ... L135: try {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

plugins/aiden-plugin-cdp-browser/lib/chromeLauncher.jsView on unpkg · L14
dist/moat/ssrfProtection.jsView file
10* L11: * Always-on URL validator. Blocks requests to RFC 1918 private nets, L12: * loopback, link-local, CGNAT, and well-known cloud-metadata ... L25: exports.SSRFProtection = void 0; L26: const node_dns_1 = __importDefault(require("node:dns")); L27: /** Hostnames that resolve into cloud-metadata services. Checked
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist/moat/ssrfProtection.jsView on unpkg · L10
dist/moat/tirithScanner.jsView file
37contains invisible/control Unicode U+200B (zero width space) const ZERO_WIDTH = /[<U+200B><U+200C><U+200D><U+2060><U+FEFF>]/;
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/moat/tirithScanner.jsView on unpkg · L37
scripts/uninstall.ps1View file
path = scripts/uninstall.ps1 kind = build_helper sizeBytes = 5818 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/uninstall.ps1View on unpkg
skills/installed/send-data/SKILL.mdView file
95patternName = generic_password severity = medium line = 95 matchedText = password...key"
Medium
Secret Pattern

Hardcoded password in skills/installed/send-data/SKILL.md

skills/installed/send-data/SKILL.mdView on unpkg · L95
skills/installed/data-pipeline-builder/SKILL.mdView file
1037patternName = generic_password severity = medium line = 1037 matchedText = password...RD}"
Medium
Secret Pattern

Hardcoded password in skills/installed/data-pipeline-builder/SKILL.md

skills/installed/data-pipeline-builder/SKILL.mdView on unpkg · L1037
skills/installed/bkend-auth/SKILL.mdView file
172patternName = generic_password severity = medium line = 172 matchedText = password...23",
Medium
Secret Pattern

Hardcoded password in skills/installed/bkend-auth/SKILL.md

skills/installed/bkend-auth/SKILL.mdView on unpkg · L172
skills/installed/admin/SKILL.mdView file
197patternName = generic_password severity = medium line = 197 matchedText = password...eme"
Medium
Secret Pattern

Hardcoded password in skills/installed/admin/SKILL.md

skills/installed/admin/SKILL.mdView on unpkg · L197

Findings

3 Critical6 High13 Medium8 Low
CriticalCritical Secretskills/installed/infrastructure/SKILL.md
CriticalTrojan Source Unicodedist/moat/tirithScanner.js
CriticalSecret Patternskills/installed/infrastructure/SKILL.md
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/tools/v4/web/openUrl.js
HighShelldist/core/v4/util/spawnCommand.js#virtual:normalized:round1
HighSame File Env Network Executiondist/cli/v4/commands/daemon.js
HighSandbox Evasion Gated Capabilityplugins/aiden-plugin-cdp-browser/lib/chromeLauncher.js
HighCloud Metadata Accessdist/moat/ssrfProtection.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/tools/eonetTool.js
MediumUnsafe Vm Contextdist/core/runSandbox.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/core/toolRegistry.js
MediumShips Build Helperscripts/uninstall.ps1
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
MediumSecret Patternskills/installed/send-data/SKILL.md
MediumSecret Patternskills/installed/data-pipeline-builder/SKILL.md
MediumSecret Patternskills/installed/bkend-auth/SKILL.md
MediumSecret Patternskills/installed/admin/SKILL.md
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/core/recipeEngine.js
LowWeak Cryptodist/core/memoryStrategy.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License