registry  /  arkaos  /  4.3.1

arkaos@4.3.1

The Operating System for AI Agent Teams

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack chain was found, but the package has substantial explicit-command lifecycle risk because its installer mutates AI-agent configuration and installs agent extensions. These actions are product-aligned but broad enough to warrant a warning.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `npx arkaos install`, `npx arkaos update`, `npx arkaos autostart enable`, or related CLI commands.
Impact
May alter Claude/Codex/Gemini/Cursor behavior, install third-party agent tooling, and create user-level startup services after explicit command invocation.
Mechanism
explicit installer-driven AI-agent configuration, plugin/MCP setup, dependency installation, and service registration
Rationale
Because there is no npm install lifecycle hook and the behavior is activated by explicit CLI commands, this does not meet the block threshold for unconsented AI-agent control-surface mutation. The breadth of first-party agent setup, third-party plugin/MCP installation, and startup service registration remains a real lifecycle risk, so warn rather than mark clean.
Evidence
package.jsoninstaller/cli.jsinstaller/index.jsinstaller/adapters/claude-code.jsinstaller/adapters/codex-cli.jsinstaller/adapters/gemini-cli.jsinstaller/adapters/cursor.jsinstaller/claude-plugins.jsinstaller/frontend-tooling.jsinstaller/autostart.jsinstaller/graphify.jsdepartments/dev/skills/env-secrets/SKILL.md~/.arkaos/**~/.claude/settings.json~/.claude/skills/**~/.claude/agents/**~/.codex/AGENTS.md~/.gemini/GEMINI.md~/.cursor/rules/arkaos.md~/Library/LaunchAgents/com.arkaos.scheduler.plist~/.config/systemd/user/arkaos-scheduler.service
Network endpoints7
higgsfield.aiollama.com/install.shopenrouter.ai/api/v1api.openai.com/v1fal.runapi.replicate.com/v1generativelanguage.googleapis.com/v1beta

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `npx arkaos install` is the default bin action and writes AI-agent config under `~/.claude`, `~/.codex`, `~/.gemini`, or `~/.cursor`.
  • `installer/adapters/claude-code.js` overwrites Claude Code hook entries in `~/.claude/settings.json` to execute ArkaOS hook scripts.
  • `installer/index.js` installs ArkaOS skills/agents into `~/.claude/skills` and `~/.claude/agents`, plus a background scheduler service.
  • `installer/claude-plugins.js` registers a third-party Claude plugin marketplace and installs default Claude plugins during ArkaOS install/update.
  • `installer/frontend-tooling.js` can register a Magic MCP and run `npx -y motion-ai` when Claude CLI and required key are present.
  • `installer/graphify.js` may install `graphifyy` via `uv`/`pipx` and run `graphify install` as best-effort setup.
Evidence against
  • `package.json` has no preinstall/install/postinstall hook; npm package installation alone does not trigger these mutations.
  • The risky behavior is tied to explicit user commands such as `arkaos install`, `update`, `autostart`, or `dashboard`.
  • No source evidence of credential harvesting or exfiltration; API keys are prompted or read for declared provider/tool setup and saved locally.
  • Autostart/dashboard/scheduler persistence is visible product functionality, not hidden stealth persistence.
  • The scanner secret hit in `departments/dev/skills/env-secrets/SKILL.md` is documentation containing example secret patterns, not a real credential.
  • Network/API references are mostly package-aligned providers, local services, or package-manager installs.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 43 file(s), 235 KB of source, external domains: higgsfield.ai, nodejs.org, obsidian.md, ollama.com, python.org, www.apple.com, www.python.org

Source & flagged code

8 flagged · loading source
departments/dev/skills/env-secrets/SKILL.mdView file
31patternName = aws_access_key severity = critical line = 31 matchedText = | AWS Ac...E` |
Critical
Critical Secret

Package contains a critical-looking secret pattern.

departments/dev/skills/env-secrets/SKILL.mdView on unpkg · L31
31patternName = aws_access_key severity = critical line = 31 matchedText = | AWS Ac...E` |
Critical
Secret Pattern

AWS access key ID in departments/dev/skills/env-secrets/SKILL.md

departments/dev/skills/env-secrets/SKILL.mdView on unpkg · L31
installer/frontend-tooling.jsView file
17import { existsSync, readFileSync, writeFileSync, chmodSync } from "node:fs"; L18: import { execSync, spawnSync } from "node:child_process"; L19: import { createInterface } from "node:readline";
High
Child Process

Package source references child process execution.

installer/frontend-tooling.jsView on unpkg · L17
7// it lives only in ~/.arkaos/keys.json (chmod 600) + Claude user config. L8: // 2. Motion AI Kit (npx motion-ai) — auto-run on every install/update. L9: // 3. (ui-ux-pro-max plugin + marketplace is handled in claude-plugins.js.) ... L17: import { existsSync, readFileSync, writeFileSync, chmodSync } from "node:fs"; L18: import { execSync, spawnSync } from "node:child_process"; L19: import { createInterface } from "node:readline";
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

installer/frontend-tooling.jsView on unpkg · L7
installer/autostart.jsView file
103set ARKAOS_NO_BROWSER=1 L104: powershell -NoProfile -NonInteractive -ExecutionPolicy Bypass -File "${ps1}" L105: `;
High
Shell

Package source references shell execution.

installer/autostart.jsView on unpkg · L103
13L14: import { execSync } from "node:child_process"; L15: import { existsSync, mkdirSync, rmSync, writeFileSync } from "node:fs"; ... L42: <array> L43: <string>/bin/bash</string> L44: <string>${startScript}</string> ... L130: export function enable({ repoRoot = defaultRepoRoot() } = {}) { L131: const unit = unitFor(process.platform, { repoRoot, home: homedir() }); L132: mkdirSync(dirname(unit.path), { recursive: true }); ... L135: if (unit.kind === "launchd") { L136: _silent(`launchctl unload "${unit.path}"`); L137: if (!_silent(`launchctl load -w "${unit.path}"`)) {
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

installer/autostart.jsView on unpkg · L13
core/fusion/__init__.pyView file
path = core/fusion/__init__.py kind = build_helper sizeBytes = 197 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

core/fusion/__init__.pyView on unpkg
installer/cli.jsView file
matchType = previous_version_dangerous_delta matchedPackage = arkaos@4.3.0 matchedIdentity = npm:YXJrYW9z:4.3.0 similarity = 0.977 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

installer/cli.jsView on unpkg

Findings

3 Critical3 High5 Medium5 Low
CriticalCritical Secretdepartments/dev/skills/env-secrets/SKILL.md
CriticalPrevious Version Dangerous Deltainstaller/cli.js
CriticalSecret Patterndepartments/dev/skills/env-secrets/SKILL.md
HighChild Processinstaller/frontend-tooling.js
HighShellinstaller/autostart.js
HighRuntime Package Installinstaller/frontend-tooling.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistenceinstaller/autostart.js
MediumShips Build Helpercore/fusion/__init__.py
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings