registry  /  aiden-runtime  /  4.14.0

aiden-runtime@4.14.0

Local-first AI agent for Windows/WSL/Linux. Autonomous tool chaining across 14+ providers, offline via Ollama.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Confirmed lifecycle setup of a first-party AI agent workspace and bundled skills, but not unconsented mutation of foreign agent control surfaces. Remaining risk is agent extension lifecycle setup inside the package's own namespace.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
npm install postinstall
Impact
Installs package-supplied agent skill content for later Aiden runtime use
Mechanism
package-local workspace and starter skill copy
Policy narrative
On install, the package initializes its own Aiden workspace and copies bundled starter skills/templates for later use by the Aiden agent. Separately, explicit CLI MCP commands can register Aiden with Claude/Cursor/VS Code configs, but those paths are user-invoked and not reached from npm postinstall.
Rationale
Source inspection confirms first-party agent lifecycle setup during postinstall, which is warn-worthy under the agent extension lifecycle policy, but I found no install-time foreign agent hijack, credential harvesting, destructive behavior, or exfiltration. Scanner hits for shell/network/MCP are largely package-aligned runtime or explicit CLI capabilities.
Evidence
package.jsonscripts/postinstall.jsdist/core/v4/skillFreshness.jsdist/core/v4/skills/curatedManifest.jsdist/core/v4/mcp/install/clientPaths.jsdist/cli/v4/commands/mcpClientInstall.jsdist/moat/tirithScanner.jsworkspace/sandboxworkspace/uploadsworkspace/artifactsworkspace/memoryworkspace/skillslogsworkspace/SOUL.md.skills-manifest-cache.json
Network endpoints1
raw.githubusercontent.com/taracodlabs/aiden-skills/main/manifest.json

Decision evidence

public snapshot
AI called this Suspicious at 87.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • package.json runs postinstall: node scripts/postinstall.js
  • scripts/postinstall.js creates workspace dirs and copies workspace-templates/skills into workspace/skills on first install
  • Package is an AI agent runtime with bundled skills and MCP integration
  • dist/core/v4/mcp/install/clientPaths.js targets Claude/Cursor/VS Code config paths when invoked
Evidence against
  • postinstall writes only package-local workspace/logs paths under the installed package root
  • No postinstall write to Claude/Cursor/Codex home configs or broad foreign agent surfaces found
  • MCP client config writes are under explicit aiden mcp init/repair/uninstall commands with prompts/backups
  • dist/core/v4/skillFreshness.js only fetches a package-aligned manifest and caches freshness metadata
  • dist/moat/tirithScanner.js Unicode controls are regex literals for detecting Trojan Source, not hidden control flow
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
CopyleftLicenseWildcardDependency
scanned 735 file(s), 6.37 MB of source, external domains: 127.0.0.1, ai-gateway.vercel.sh, ai.google.dev, aiden.ai, aiden.taracod.com, aistudio.google.com, api-docs.deepseek.com, api-inference.huggingface.co, api.anthropic.com, api.bayofassets.com, api.boa.ai, api.cerebras.ai, api.cloudflare.com, api.deepseek.com, api.duckduckgo.com, api.elevenlabs.io, api.example.com, api.github.com, api.githubcopilot.com, api.greynoise.io, api.groq.com, api.minimax.io, api.mistral.ai, api.moonshot.ai, api.moonshot.cn, api.openai.com, api.search.brave.com, api.shodan.io, api.ssllabs.com, api.taracod.com, api.telegram.org, api.together.xyz, api.z.ai, app.asana.com, app.slack.com, auth.openai.com, build.nvidia.com, cdn.jsdelivr.net, chatgpt.com, claude.ai, console.anthropic.com, console.groq.com, console.mistral.ai, crt.sh, cveawg.mitre.org, dash.cloudflare.com, devos.local, discord.com, docs.anthropic.com, docs.google.com

Source & flagged code

15 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/tools/v4/web/openUrl.jsView file
33exports.isLaunchableUrl = isLaunchableUrl; L34: const node_child_process_1 = require("node:child_process"); L35: /** Resolve the launch command for the current platform. */
High
Child Process

Package source references child process execution.

dist/tools/v4/web/openUrl.jsView on unpkg · L33
dist/core/v4/util/spawnCommand.js#virtual:normalized:round1View file
18* which throws EINVAL on Windows when `cmd` resolves to `.cmd` / `.bat`. L19: * The naive fix — `shell: true` — would silently permit argument L20: * injection through MCP server config (user-supplied command line),
High
Shell

Package source references shell execution.

dist/core/v4/util/spawnCommand.js#virtual:normalized:round1View on unpkg · L18
dist/core/recipeEngine.jsView file
91// eslint-disable-next-line no-new-func L92: return new Function(`return ${resolved}`)(); L93: }
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/core/recipeEngine.jsView on unpkg · L91
dist/tools/eonetTool.jsView file
7exports.getEonetSummary = getEonetSummary; L8: const undici_1 = require("undici"); L9: const EONET_BASE = 'https://eonet.gsfc.nasa.gov/api/v3';
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/tools/eonetTool.jsView on unpkg · L7
dist/core/runSandbox.jsView file
1"use strict"; L2: // ============================================================
Medium
Unsafe Vm Context

Package source executes code through a VM context API.

dist/core/runSandbox.jsView on unpkg · L1
dist/core/memoryStrategy.jsView file
65constructor() { L66: this.filePath = path.join(process.cwd(), 'workspace', 'computer-use-memory.json'); L67: this.memory = []; ... L82: const raw = fs.readFileSync(this.filePath, 'utf8'); L83: this.memory = JSON.parse(raw); L84: } ... L135: this.save(); L136: await memoryLayers_1.memoryLayers.write(`ComputerUse memory stored (success): ${goal}`, ['computer_use', 'memory', 'success']); L137: }
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/core/memoryStrategy.jsView on unpkg · L65
dist/core/toolRegistry.jsView file
61// browser automation, file I/O, shell exec, and web utilities. L62: const child_process_1 = require("child_process"); L63: const util_1 = require("util"); ... L105: 'tsconfig.json', L106: 'package.json', L107: 'vitest.config.ts', ... L141: /\breg\s+(add|delete)/i, L142: /\bschtasks\s/i, L143: /\bwmic\s+process\s+call/i, ... L223: const reason = `[Security] ${lang} code blocked: "${opStr}" targeting "${pathStr}" — destructive operation on protected system path`; L224: process.stderr.write(reason + '\n'); L225: return { denied: true, reason };
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/core/toolRegistry.jsView on unpkg · L61
dist/cli/v4/commands/daemon.jsView file
499const cmd = [process.execPath, findBundlePath()]; L500: const child = (0, node_child_process_1.spawn)(cmd[0], cmd.slice(1), { L501: env: { ...process.env, AIDEN_DAEMON: '1' }, L502: stdio: 'ignore', ... L512: try { L513: const r = await getJson(`http://127.0.0.1:${port}/api/daemon/status`, 3000); L514: io.out(JSON.stringify(r, null, 2) + '\n');
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli/v4/commands/daemon.jsView on unpkg · L499
plugins/aiden-plugin-cdp-browser/lib/chromeLauncher.jsView file
14L15: const { spawn } = require('node:child_process'); L16: const fs = require('node:fs'); L17: const http = require('node:http'); L18: const os = require('node:os'); ... L29: * L30: * @param {NodeJS.Platform} sys — process.platform; defaults to current. L31: * @returns {string[]} ... L53: const bases = [ L54: process.env.ProgramFiles, L55: process.env['ProgramFiles(x86)'], ... L135: try {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

plugins/aiden-plugin-cdp-browser/lib/chromeLauncher.jsView on unpkg · L14
dist/moat/ssrfProtection.jsView file
10* L11: * Always-on URL validator. Blocks requests to RFC 1918 private nets, L12: * loopback, link-local, CGNAT, and well-known cloud-metadata ... L25: exports.SSRFProtection = void 0; L26: const node_dns_1 = __importDefault(require("node:dns")); L27: /** Hostnames that resolve into cloud-metadata services. Checked
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist/moat/ssrfProtection.jsView on unpkg · L10
dist/moat/tirithScanner.jsView file
37contains invisible/control Unicode U+200B (zero width space) const ZERO_WIDTH = /[<U+200B><U+200C><U+200D><U+2060><U+FEFF>]/;
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/moat/tirithScanner.jsView on unpkg · L37
scripts/uninstall.ps1View file
path = scripts/uninstall.ps1 kind = build_helper sizeBytes = 5818 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/uninstall.ps1View on unpkg
dist/core/v4/skillFreshness.jsView file
matchType = previous_version_dangerous_delta matchedPackage = aiden-runtime@4.13.0 matchedIdentity = npm:YWlkZW4tcnVudGltZQ:4.13.0 similarity = 0.967 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/core/v4/skillFreshness.jsView on unpkg

Findings

1 Critical7 High9 Medium8 Low
CriticalTrojan Source Unicodedist/moat/tirithScanner.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/tools/v4/web/openUrl.js
HighShelldist/core/v4/util/spawnCommand.js#virtual:normalized:round1
HighSame File Env Network Executiondist/cli/v4/commands/daemon.js
HighSandbox Evasion Gated Capabilityplugins/aiden-plugin-cdp-browser/lib/chromeLauncher.js
HighCloud Metadata Accessdist/moat/ssrfProtection.js
HighPrevious Version Dangerous Deltadist/core/v4/skillFreshness.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/tools/eonetTool.js
MediumUnsafe Vm Contextdist/core/runSandbox.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/core/toolRegistry.js
MediumShips Build Helperscripts/uninstall.ps1
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/core/recipeEngine.js
LowWeak Cryptodist/core/memoryStrategy.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License