registry  /  chainlesschain  /  0.162.148

chainlesschain@0.162.148

CLI for ChainlessChain - install, configure, and manage your personal AI management system

AI Security Review

scanned 9d ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Install-time lifecycle generates first-party ChainlessChain skill packs under the package app namespace.

Static reason
One or more suspicious static signals were detected.; routed for review
Trigger
npm install of chainlesschain@0.162.148
Impact
Warn-level lifecycle expansion of a package-owned agent extension surface; no confirmed malware payload.
Mechanism
first-party package-owned agent extension setup via npm postinstall
Policy narrative
During npm install, the postinstall script generates ChainlessChain skill packs under the package own desktop app userData skills directory. The generated handlers are package-aligned and run chainlesschain subcommands with inherited environment. This is risky lifecycle-time agent extension setup, but it stays inside the first-party app namespace and no exfiltration, remote payload, permission bypass, or foreign agent-control mutation was confirmed.
Rationale
Policy repair: first-party package-owned agent extension setup inside the ChainlessChain app namespace is warn-only agent_extension_lifecycle_risk, not a product-default block. No foreign agent-control mutation, exfiltration, remote payload execution, permission bypass, or persistence outside the platform contract was confirmed.
Evidence
package.jsonscripts/postinstall.mjssrc/lib/skill-packs/generator.jssrc/lib/skill-packs/schema.jssrc/lib/paths.jssrc/lib/update-notice.js<ChainlessChain userData>/skills/*/SKILL.md<ChainlessChain userData>/skills/*/handler.js
Network endpoints1
registry.npmjs.org/chainlesschain/latest

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json runs a postinstall lifecycle script
  • scripts/postinstall.mjs generates ChainlessChain skill packs during install
  • generated handlers can run chainlesschain subcommands with inherited environment
Evidence against
  • skill packs are generated under the ChainlessChain app namespace rather than a foreign agent surface
  • handlers are package-aligned and generated from static package schemas
  • no credential exfiltration, destructive action, remote payload execution, or permission bypass was confirmed
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 765 file(s), 14.3 MB of source, external domains: 127.0.0.1, accounts.google.com, api.anthropic.com, api.bochaai.com, api.deepseek.com, api.example.com, api.exchangerate-api.com, api.github.com, api.minimax.chat, api.mistral.ai, api.moonshot.cn, api.openai.com, api.search.brave.com, api.tavily.com, api.telegram.org, ark.cn-beijing.volces.com, cdn.jsdelivr.net, cdnjs.cloudflare.com, cli.github.com, cli.vuejs.org, dashscope.aliyuncs.com, dav.jianguoyun.com, developer.mozilla.org, devtools.vuejs.org, docs.chainlesschain.com, evomap.chainlesschain.com, example.com, fcm.googleapis.com, generativelanguage.googleapis.com, github.com, graph.microsoft.com, html.duckduckgo.com, link.vuejs.org, local.chainlesschain, login.microsoftonline.com, mathiasbynens.be, matrix.org, modelcontextprotocol.io, nas.example, node.example.com, oauth2.googleapis.com, openidconnect.googleapis.com, oss-cn-hangzhou.aliyuncs.com, pinia.vuejs.org, python.org, qianfan.baidubce.com, registry.npmjs.org, router.vuejs.org, sso.example.com, tinyurl.com

Source & flagged code

11 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
src/auth/npm-auth.jsView file
6L7: import { execSync } from "child_process"; L8: import { logger } from "../lib/logger.js";
High
Child Process

Package source references child process execution.

src/auth/npm-auth.jsView on unpkg · L6
src/runtime/agent-core.jsView file
1107// Sensitive-file write guard (Claude-Code 2.1.160 parity): shell startup L1108: // files / PowerShell profiles / git+husky hooks execute code on the user's L1109: // next shell or commit — even otherwise-permitted edit flows confirm first.
High
Shell

Package source references shell execution.

src/runtime/agent-core.jsView on unpkg · L1107
src/lib/plugin-ecosystem.jsView file
86severity: REVIEW_SEVERITY.BLOCKER, L87: message: "Use of eval() — code injection risk", L88: penalty: 40,
Low
Eval

Package source references a known benign dynamic code generation pattern.

src/lib/plugin-ecosystem.jsView on unpkg · L86
scripts/postinstall.mjsView file
6try { L7: const { generateCliPacks } = await import( L8: "../src/lib/skill-packs/generator.js"
Medium
Dynamic Require

Package source references dynamic require/import behavior.

scripts/postinstall.mjsView on unpkg · L6
src/harness/prompt-compressor.jsView file
654archivedAt: null, L655: metadata: { ...(metadata || {}) }, L656: };
Low
Weak Crypto

Package source references weak cryptographic algorithms.

src/harness/prompt-compressor.jsView on unpkg · L654
src/lib/mcp-oauth.jsView file
30export const _deps = { L31: fetch: (...a) => globalThis.fetch(...a), L32: fs: fsDefault, ... L37: openBrowser: defaultOpenBrowser, L38: spawn: (...a) => spawn(...a), L39: now: () => Date.now(), ... L43: warn: (msg) => { L44: if (!process.env.VITEST) process.stderr.write(msg); L45: },
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

src/lib/mcp-oauth.jsView on unpkg · L30
30export const _deps = { L31: fetch: (...a) => globalThis.fetch(...a), L32: fs: fsDefault, ... L37: openBrowser: defaultOpenBrowser, L38: spawn: (...a) => spawn(...a), L39: now: () => Date.now(), ... L43: warn: (msg) => { L44: if (!process.env.VITEST) process.stderr.write(msg); L45: },
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

src/lib/mcp-oauth.jsView on unpkg · L30
src/commands/init.jsView file
58L59: 通过本地 ComfyUI 服务(默认 http://localhost:8188)生成 AI 图像。 L60: ... L99: L100: const COMFYUI_URL = process.env.COMFYUI_URL || "http://localhost:8188"; L101: const POLL_INTERVAL_MS = 2000; ... L118: res.on("end", () => { L119: const data = Buffer.concat(dataChunks).toString("utf8"); L120: try { L121: resolve({ status: res.statusCode, body: JSON.parse(data) }); L122: } catch { ... L235: ? workflow
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

src/commands/init.jsView on unpkg · L58
src/commands/update.jsView file
2import semver from "semver"; L3: import { execSync } from "node:child_process"; L4: import { checkForUpdates } from "../lib/version-checker.js"; ... L10: /** L11: * A version that is safe to interpolate into `npm install -g chainlesschain@<v>`. L12: * The version reaching selfUpdateCli already comes from version-checker (gated by
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

src/commands/update.jsView on unpkg · L2

Findings

7 High5 Medium9 Low
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processsrc/auth/npm-auth.js
HighShellsrc/runtime/agent-core.js
HighSame File Env Network Executionsrc/lib/mcp-oauth.js
HighCommand Output Exfiltrationsrc/lib/mcp-oauth.js
HighSandbox Evasion Gated Capabilitysrc/commands/init.js
HighRuntime Package Installsrc/commands/update.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirescripts/postinstall.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvalsrc/lib/plugin-ecosystem.js
LowWeak Cryptosrc/harness/prompt-compressor.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings