registry  /  aiden-runtime  /  4.13.0

aiden-runtime@4.13.0

Local-first AI agent for Windows/WSL/Linux. Autonomous tool chaining across 14+ providers, offline via Ollama.

AI Security Review

scanned 19h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package is an AI agent runtime that seeds first-party workspace skills during npm postinstall and can later install Aiden MCP entries or OS daemon units via explicit CLI commands. This creates agent-extension lifecycle risk, but source inspection did not confirm malicious install-time hijacking or exfiltration.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install for workspace skill seeding; explicit aiden CLI commands for MCP/daemon setup
Impact
Bundled Aiden instructions/tools become available to the runtime; explicit commands can register Aiden with MCP clients or OS service managers.
Mechanism
first-party agent skill seeding and user-invoked platform integration
Policy narrative
On install, the package seeds Aiden-owned workspace folders and starter skills. At runtime, explicit Aiden commands can copy bundled skills into Aiden home, register an Aiden MCP server with supported clients, or install a daemon service. I did not find lifecycle-triggered mutation of foreign AI-agent control surfaces, credential harvesting, or package-to-attacker exfiltration.
Rationale
Source inspection supports a warn-level first-party AI-agent extension lifecycle risk, not concrete malware: the npm postinstall is local seeding only, while foreign MCP/client and daemon persistence writes are explicit CLI surfaces. No install-time network, secret collection, destructive behavior, or unconsented broad agent-control hijack was confirmed.
Evidence
package.jsonscripts/postinstall.jsdist/core/v4/skillBundledRestore.jsdist/core/v4/mcp/install/clients.jsdist/core/v4/mcp/install/clientPaths.jsdist/cli/v4/commands/daemon.jsskills/claude-code/SKILL.mdskills/codex/SKILL.mdplugins/aiden-plugin-chatgpt-plus/index.jsplugins/aiden-plugin-claude-pro/index.jsworkspace/sandboxworkspace/uploadsworkspace/artifactsworkspace/memoryworkspace/skillsworkspace/SOUL.mdlogs~/.config/systemd/user/aiden.service~/Library/LaunchAgents/com.aiden.daemon.plistClaude/claude_desktop_config.json~/.cursor/mcp.json.vscode/mcp.json
Network endpoints6
auth.openai.comchatgpt.com/backend-api/codexclaude.ai/oauth/authorizeconsole.anthropic.com/v1/oauth/tokenplatform.claude.com/v1/oauth/tokenapi.anthropic.com

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json runs postinstall: node scripts/postinstall.js
  • scripts/postinstall.js creates workspace/log directories and copies bundled SOUL.md/starter skills into workspace/skills on first install
  • dist/core/v4/skillBundledRestore.js can copy bundled skills into Aiden-owned user skills dir and writes .skills-bundle-version
  • skills/claude-code/SKILL.md and skills/codex/SKILL.md document delegating tasks to external agent CLIs, including high-autonomy Codex modes
  • dist/cli/v4/commands/daemon.js contains user-invoked service install paths for systemd/launchd
Evidence against
  • scripts/postinstall.js is local-only: no network, no child_process, no env harvesting, no home/foreign agent config writes
  • MCP client config mutation is implemented under dist/core/v4/mcp/install/* and appears tied to explicit install/uninstall helpers, not npm lifecycle
  • OAuth plugins use package-aligned auth/inference endpoints and store via runtime token helpers, not scanner-visible exfiltration
  • dist/tools/v4/web/openUrl.js validates http(s) URLs before OS browser launch
  • dist/core/v4/util/spawnCommand.js is a subprocess helper with quoting/Windows shim handling, not hidden install-time execution
  • No evidence found of unconsented writes to CLAUDE.md, .claude, .codex, Cursor settings, shell startup files, or VCS hooks during install
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
CopyleftLicenseWildcardDependency
scanned 732 file(s), 6.34 MB of source, external domains: 127.0.0.1, ai-gateway.vercel.sh, ai.google.dev, aiden.ai, aiden.taracod.com, aistudio.google.com, api-docs.deepseek.com, api-inference.huggingface.co, api.anthropic.com, api.bayofassets.com, api.boa.ai, api.cerebras.ai, api.cloudflare.com, api.deepseek.com, api.duckduckgo.com, api.elevenlabs.io, api.example.com, api.github.com, api.githubcopilot.com, api.greynoise.io, api.groq.com, api.minimax.io, api.mistral.ai, api.moonshot.ai, api.moonshot.cn, api.openai.com, api.search.brave.com, api.shodan.io, api.ssllabs.com, api.taracod.com, api.telegram.org, api.together.xyz, api.z.ai, app.asana.com, app.slack.com, auth.openai.com, build.nvidia.com, cdn.jsdelivr.net, chatgpt.com, claude.ai, console.anthropic.com, console.groq.com, console.mistral.ai, crt.sh, cveawg.mitre.org, dash.cloudflare.com, devos.local, discord.com, docs.anthropic.com, docs.google.com

Source & flagged code

14 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/tools/v4/web/openUrl.jsView file
33exports.isLaunchableUrl = isLaunchableUrl; L34: const node_child_process_1 = require("node:child_process"); L35: /** Resolve the launch command for the current platform. */
High
Child Process

Package source references child process execution.

dist/tools/v4/web/openUrl.jsView on unpkg · L33
dist/core/v4/util/spawnCommand.js#virtual:normalized:round1View file
18* which throws EINVAL on Windows when `cmd` resolves to `.cmd` / `.bat`. L19: * The naive fix — `shell: true` — would silently permit argument L20: * injection through MCP server config (user-supplied command line),
High
Shell

Package source references shell execution.

dist/core/v4/util/spawnCommand.js#virtual:normalized:round1View on unpkg · L18
dist/core/recipeEngine.jsView file
91// eslint-disable-next-line no-new-func L92: return new Function(`return ${resolved}`)(); L93: }
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/core/recipeEngine.jsView on unpkg · L91
dist/tools/eonetTool.jsView file
7exports.getEonetSummary = getEonetSummary; L8: const undici_1 = require("undici"); L9: const EONET_BASE = 'https://eonet.gsfc.nasa.gov/api/v3';
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/tools/eonetTool.jsView on unpkg · L7
dist/core/runSandbox.jsView file
1"use strict"; L2: // ============================================================
Medium
Unsafe Vm Context

Package source executes code through a VM context API.

dist/core/runSandbox.jsView on unpkg · L1
dist/core/memoryStrategy.jsView file
65constructor() { L66: this.filePath = path.join(process.cwd(), 'workspace', 'computer-use-memory.json'); L67: this.memory = []; ... L82: const raw = fs.readFileSync(this.filePath, 'utf8'); L83: this.memory = JSON.parse(raw); L84: } ... L135: this.save(); L136: await memoryLayers_1.memoryLayers.write(`ComputerUse memory stored (success): ${goal}`, ['computer_use', 'memory', 'success']); L137: }
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/core/memoryStrategy.jsView on unpkg · L65
dist/core/toolRegistry.jsView file
61// browser automation, file I/O, shell exec, and web utilities. L62: const child_process_1 = require("child_process"); L63: const util_1 = require("util"); ... L105: 'tsconfig.json', L106: 'package.json', L107: 'vitest.config.ts', ... L141: /\breg\s+(add|delete)/i, L142: /\bschtasks\s/i, L143: /\bwmic\s+process\s+call/i, ... L223: const reason = `[Security] ${lang} code blocked: "${opStr}" targeting "${pathStr}" — destructive operation on protected system path`; L224: process.stderr.write(reason + '\n'); L225: return { denied: true, reason };
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/core/toolRegistry.jsView on unpkg · L61
dist/cli/v4/commands/daemon.jsView file
499const cmd = [process.execPath, findBundlePath()]; L500: const child = (0, node_child_process_1.spawn)(cmd[0], cmd.slice(1), { L501: env: { ...process.env, AIDEN_DAEMON: '1' }, L502: stdio: 'ignore', ... L512: try { L513: const r = await getJson(`http://127.0.0.1:${port}/api/daemon/status`, 3000); L514: io.out(JSON.stringify(r, null, 2) + '\n');
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli/v4/commands/daemon.jsView on unpkg · L499
plugins/aiden-plugin-cdp-browser/lib/chromeLauncher.jsView file
14L15: const { spawn } = require('node:child_process'); L16: const fs = require('node:fs'); L17: const http = require('node:http'); L18: const os = require('node:os'); ... L29: * L30: * @param {NodeJS.Platform} sys — process.platform; defaults to current. L31: * @returns {string[]} ... L53: const bases = [ L54: process.env.ProgramFiles, L55: process.env['ProgramFiles(x86)'], ... L135: try {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

plugins/aiden-plugin-cdp-browser/lib/chromeLauncher.jsView on unpkg · L14
dist/moat/ssrfProtection.jsView file
10* L11: * Always-on URL validator. Blocks requests to RFC 1918 private nets, L12: * loopback, link-local, CGNAT, and well-known cloud-metadata ... L25: exports.SSRFProtection = void 0; L26: const node_dns_1 = __importDefault(require("node:dns")); L27: /** Hostnames that resolve into cloud-metadata services. Checked
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist/moat/ssrfProtection.jsView on unpkg · L10
dist/moat/tirithScanner.jsView file
37contains invisible/control Unicode U+200B (zero width space) const ZERO_WIDTH = /[<U+200B><U+200C><U+200D><U+2060><U+FEFF>]/;
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/moat/tirithScanner.jsView on unpkg · L37
scripts/uninstall.ps1View file
path = scripts/uninstall.ps1 kind = build_helper sizeBytes = 5818 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/uninstall.ps1View on unpkg

Findings

1 Critical6 High9 Medium8 Low
CriticalTrojan Source Unicodedist/moat/tirithScanner.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/tools/v4/web/openUrl.js
HighShelldist/core/v4/util/spawnCommand.js#virtual:normalized:round1
HighSame File Env Network Executiondist/cli/v4/commands/daemon.js
HighSandbox Evasion Gated Capabilityplugins/aiden-plugin-cdp-browser/lib/chromeLauncher.js
HighCloud Metadata Accessdist/moat/ssrfProtection.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/tools/eonetTool.js
MediumUnsafe Vm Contextdist/core/runSandbox.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/core/toolRegistry.js
MediumShips Build Helperscripts/uninstall.ps1
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/core/recipeEngine.js
LowWeak Cryptodist/core/memoryStrategy.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License