registry  /  arkaos  /  4.2.0

arkaos@4.2.0

The Operating System for AI Agent Teams

AI Security Review

scanned 13h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious npm-install-time behavior was found. The package does perform explicit-user-command AI agent setup, including Claude hooks/plugins/MCP registration and local dashboard autostart support, which is a real agent extension lifecycle risk.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs arkaos install, arkaos update, or arkaos autostart enable
Impact
User AI agent behavior can be changed by package-owned hooks/plugins; no source-grounded exfiltration or destructive chain confirmed
Mechanism
explicit CLI setup mutates AI runtime configuration and installs agent tooling
Rationale
Source inspection supports a warning for explicit agent extension lifecycle risk, not a malicious block: risky mutations are user-command driven and package-aligned. No concrete exfiltration, destructive behavior, stealth install hook, or unconsented npm lifecycle mutation was found.
Evidence
package.jsoninstaller/cli.jsinstaller/index.jsinstaller/adapters/claude-code.jsinstaller/adapters/codex-cli.jsinstaller/frontend-tooling.jsinstaller/claude-plugins.jsinstaller/autostart.jsdepartments/dev/skills/env-secrets/SKILL.md~/.claude/settings.json~/.codex/AGENTS.md~/.gemini/settings.json~/.cursor/settings.json~/.arkaos/keys.json~/.arkaos/install-manifest.json
Network endpoints6
api.openai.com/v1api.replicate.com/v1fal.rungenerativelanguage.googleapis.com/v1betaopenrouter.ai/api/v1localhost:11434

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • installer/index.js explicit install writes AI runtime config and hooks under user config dirs
  • installer/adapters/claude-code.js overwrites Claude Code hook arrays in settings.json
  • installer/frontend-tooling.js registers Magic MCP and runs npx -y motion-ai during arkaos install/update
  • installer/claude-plugins.js adds a third-party Claude plugin marketplace and installs default plugins
  • installer/cli.js builds shell command strings from user args for models/index/search
Evidence against
  • package.json has no preinstall/install/postinstall hook; only prepublishOnly test/version check
  • installer actions are reached through user-invoked arkaos install/update/autostart commands, not npm install lifecycle
  • departments/dev/skills/env-secrets/SKILL.md contains example secret regexes/placeholders, not live credentials
  • Network/API URLs found are package-aligned provider/dashboard configs; no credential harvesting or exfiltration flow seen
  • autostart persistence is opt-in via arkaos autostart enable
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 43 file(s), 234 KB of source, external domains: higgsfield.ai, nodejs.org, obsidian.md, ollama.com, python.org, www.apple.com, www.python.org

Source & flagged code

8 flagged · loading source
departments/dev/skills/env-secrets/SKILL.mdView file
31patternName = aws_access_key severity = critical line = 31 matchedText = | AWS Ac...E` |
Critical
Critical Secret

Package contains a critical-looking secret pattern.

departments/dev/skills/env-secrets/SKILL.mdView on unpkg · L31
31patternName = aws_access_key severity = critical line = 31 matchedText = | AWS Ac...E` |
Critical
Secret Pattern

AWS access key ID in departments/dev/skills/env-secrets/SKILL.md

departments/dev/skills/env-secrets/SKILL.mdView on unpkg · L31
installer/frontend-tooling.jsView file
17import { existsSync, readFileSync, writeFileSync, chmodSync } from "node:fs"; L18: import { execSync, spawnSync } from "node:child_process"; L19: import { createInterface } from "node:readline";
High
Child Process

Package source references child process execution.

installer/frontend-tooling.jsView on unpkg · L17
7// it lives only in ~/.arkaos/keys.json (chmod 600) + Claude user config. L8: // 2. Motion AI Kit (npx motion-ai) — auto-run on every install/update. L9: // 3. (ui-ux-pro-max plugin + marketplace is handled in claude-plugins.js.) ... L17: import { existsSync, readFileSync, writeFileSync, chmodSync } from "node:fs"; L18: import { execSync, spawnSync } from "node:child_process"; L19: import { createInterface } from "node:readline";
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

installer/frontend-tooling.jsView on unpkg · L7
installer/autostart.jsView file
103set ARKAOS_NO_BROWSER=1 L104: powershell -NoProfile -NonInteractive -ExecutionPolicy Bypass -File "${ps1}" L105: `;
High
Shell

Package source references shell execution.

installer/autostart.jsView on unpkg · L103
13L14: import { execSync } from "node:child_process"; L15: import { existsSync, mkdirSync, rmSync, writeFileSync } from "node:fs"; ... L42: <array> L43: <string>/bin/bash</string> L44: <string>${startScript}</string> ... L130: export function enable({ repoRoot = defaultRepoRoot() } = {}) { L131: const unit = unitFor(process.platform, { repoRoot, home: homedir() }); L132: mkdirSync(dirname(unit.path), { recursive: true }); ... L135: if (unit.kind === "launchd") { L136: _silent(`launchctl unload "${unit.path}"`); L137: if (!_silent(`launchctl load -w "${unit.path}"`)) {
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

installer/autostart.jsView on unpkg · L13
core/conclave/persistence.pyView file
path = core/conclave/persistence.py kind = build_helper sizeBytes = 1965 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

core/conclave/persistence.pyView on unpkg
installer/cli.jsView file
matchType = previous_version_dangerous_delta matchedPackage = arkaos@4.1.1 matchedIdentity = npm:YXJrYW9z:4.1.1 similarity = 0.953 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

installer/cli.jsView on unpkg

Findings

3 Critical3 High5 Medium5 Low
CriticalCritical Secretdepartments/dev/skills/env-secrets/SKILL.md
CriticalPrevious Version Dangerous Deltainstaller/cli.js
CriticalSecret Patterndepartments/dev/skills/env-secrets/SKILL.md
HighChild Processinstaller/frontend-tooling.js
HighShellinstaller/autostart.js
HighRuntime Package Installinstaller/frontend-tooling.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistenceinstaller/autostart.js
MediumShips Build Helpercore/conclave/persistence.py
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings