AI Security Review
scanned 19h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. The package is an AI agent runtime that seeds first-party workspace skills during npm postinstall and can later install Aiden MCP entries or OS daemon units via explicit CLI commands. This creates agent-extension lifecycle risk, but source inspection did not confirm malicious install-time hijacking or exfiltration.
Decision evidence
public snapshot- package.json runs postinstall: node scripts/postinstall.js
- scripts/postinstall.js creates workspace/log directories and copies bundled SOUL.md/starter skills into workspace/skills on first install
- dist/core/v4/skillBundledRestore.js can copy bundled skills into Aiden-owned user skills dir and writes .skills-bundle-version
- skills/claude-code/SKILL.md and skills/codex/SKILL.md document delegating tasks to external agent CLIs, including high-autonomy Codex modes
- dist/cli/v4/commands/daemon.js contains user-invoked service install paths for systemd/launchd
- scripts/postinstall.js is local-only: no network, no child_process, no env harvesting, no home/foreign agent config writes
- MCP client config mutation is implemented under dist/core/v4/mcp/install/* and appears tied to explicit install/uninstall helpers, not npm lifecycle
- OAuth plugins use package-aligned auth/inference endpoints and store via runtime token helpers, not scanner-visible exfiltration
- dist/tools/v4/web/openUrl.js validates http(s) URLs before OS browser launch
- dist/core/v4/util/spawnCommand.js is a subprocess helper with quoting/Windows shim handling, not hidden install-time execution
- No evidence found of unconsented writes to CLAUDE.md, .claude, .codex, Cursor settings, shell startup files, or VCS hooks during install
Source & flagged code
14 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgPackage source references child process execution.
dist/tools/v4/web/openUrl.jsView on unpkg · L33Package source references shell execution.
dist/core/v4/util/spawnCommand.js#virtual:normalized:round1View on unpkg · L18Package source references a known benign dynamic code generation pattern.
dist/core/recipeEngine.jsView on unpkg · L91Package source references dynamic require/import behavior.
dist/tools/eonetTool.jsView on unpkg · L7Package source executes code through a VM context API.
dist/core/runSandbox.jsView on unpkg · L1Package source references weak cryptographic algorithms.
dist/core/memoryStrategy.jsView on unpkg · L65Source writes installer persistence such as shell profile or service configuration.
dist/core/toolRegistry.jsView on unpkg · L61A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/cli/v4/commands/daemon.jsView on unpkg · L499Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
plugins/aiden-plugin-cdp-browser/lib/chromeLauncher.jsView on unpkg · L14Source reaches cloud instance metadata or link-local credential endpoints.
dist/moat/ssrfProtection.jsView on unpkg · L10Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
dist/moat/tirithScanner.jsView on unpkg · L37Package ships non-JavaScript build or shell helper files.
scripts/uninstall.ps1View on unpkg