registry  /  chainlesschain  /  0.162.149

chainlesschain@0.162.149

Superseded by 0.162.162 (npm latest). Please upgrade: npm i -g chainlesschain@latest

CLI for ChainlessChain - install, configure, and manage your personal AI management system

AI Security Review

scanned 8d ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack surface was established by source inspection. The install hook generates first-party ChainlessChain skill packs in the app userData directory and prints an optional SQLite note; risky agent and shell capabilities are runtime/user-invoked CLI features.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
npm postinstall for skill-pack generation; runtime CLI commands for agent/update/auth features
Impact
Installs ChainlessChain-managed skill files; no confirmed exfiltration, persistence, or foreign AI-agent control hijack
Mechanism
first-party agent platform extension setup and user-invoked command execution
Rationale
The lifecycle behavior is a guarded first-party app namespace skill generation flow, matching warn-only agent extension lifecycle risk rather than unconsented foreign control-surface hijack. Scanner hits for shell, network, env, and package install are package-aligned runtime capabilities with validation or user action gates.
Evidence
package.jsonscripts/postinstall.mjssrc/lib/skill-packs/generator.jssrc/lib/paths.jssrc/runtime/agent-core.jssrc/commands/update.jssrc/auth/npm-auth.js~/Library/Application Support/chainlesschain-desktop-vue/skills/<cli-pack>/SKILL.md~/Library/Application Support/chainlesschain-desktop-vue/skills/<cli-pack>/handler.js
Network endpoints4
api.github.com/repos/chainlesschain/chainlesschainwww.chainlesschain.comapi.openai.com/v1api.anthropic.com/v1

Decision evidence

public snapshot
AI called this Suspicious at 78.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
    Evidence against
    • postinstall only calls src/lib/skill-packs/generator.js and optional sqlite module detection
    • skill packs write under ChainlessChain Electron userData skills namespace, not Claude/Codex/MCP configs
    • generated handlers validate command names and reject shell metacharacters before spawnSync shell:true
    • runtime child_process uses are user-invoked CLI features such as update, npm auth, agent shell tools
    • network URLs are package-aligned LLM/update/push/integration endpoints, not install-time exfiltration
    • no evidence of credential harvesting or lifecycle mutation of foreign agent control surfaces
    Behavioral surface
    Source
    ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
    Supply chain
    HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 811 file(s), 14.6 MB of source, external domains: 127.0.0.1, accounts.google.com, api-push.vivo.com.cn, api.anthropic.com, api.bochaai.com, api.deepseek.com, api.example.com, api.exchangerate-api.com, api.github.com, api.minimax.chat, api.mistral.ai, api.moonshot.cn, api.openai.com, api.push.apple.com, api.push.oppomobile.com, api.sandbox.push.apple.com, api.search.brave.com, api.tavily.com, api.telegram.org, api.xmpush.xiaomi.com, ark.cn-beijing.volces.com, cdn.jsdelivr.net, cdnjs.cloudflare.com, cli.github.com, cli.vuejs.org, dashscope.aliyuncs.com, dav.jianguoyun.com, developer.mozilla.org, devtools.vuejs.org, docs.chainlesschain.com, evomap.chainlesschain.com, example.com, fcm.googleapis.com, generativelanguage.googleapis.com, github.com, graph.microsoft.com, html.duckduckgo.com, link.vuejs.org, local.chainlesschain, login.microsoftonline.com, mathiasbynens.be, matrix.org, modelcontextprotocol.io, nas.example, node.example.com, oauth-login.cloud.huawei.com, oauth2.googleapis.com, openidconnect.googleapis.com, oss-cn-hangzhou.aliyuncs.com, pinia.vuejs.org

    Source & flagged code

    12 flagged · loading source
    package.jsonView file
    scripts.postinstall = node scripts/postinstall.mjs
    High
    Install Time Lifecycle Scripts

    Package defines install-time lifecycle scripts.

    package.jsonView on unpkg
    scripts.postinstall = node scripts/postinstall.mjs
    Medium
    Ambiguous Install Lifecycle Script

    Install-time lifecycle script is not statically allowlisted and needs review.

    package.jsonView on unpkg
    src/auth/npm-auth.jsView file
    6L7: import { execSync } from "child_process"; L8: import { logger } from "../lib/logger.js";
    High
    Child Process

    Package source references child process execution.

    src/auth/npm-auth.jsView on unpkg · L6
    src/runtime/agent-core.jsView file
    matchType = previous_version_dangerous_delta matchedPackage = chainlesschain@0.162.148 matchedIdentity = npm:Y2hhaW5sZXNzY2hhaW4:0.162.148 similarity = 0.850 summary = stored previous version shares package body but lacks this dangerous source file
    Critical
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

    src/runtime/agent-core.jsView on unpkg
    1110// Sensitive-file write guard (Claude-Code 2.1.160 parity): shell startup L1111: // files / PowerShell profiles / git+husky hooks execute code on the user's L1112: // next shell or commit — even otherwise-permitted edit flows confirm first.
    High
    Shell

    Package source references shell execution.

    src/runtime/agent-core.jsView on unpkg · L1110
    src/lib/plugin-ecosystem.jsView file
    86severity: REVIEW_SEVERITY.BLOCKER, L87: message: "Use of eval() — code injection risk", L88: penalty: 40,
    Low
    Eval

    Package source references a known benign dynamic code generation pattern.

    src/lib/plugin-ecosystem.jsView on unpkg · L86
    scripts/postinstall.mjsView file
    6try { L7: const { generateCliPacks } = await import( L8: "../src/lib/skill-packs/generator.js"
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    scripts/postinstall.mjsView on unpkg · L6
    src/harness/prompt-compressor.jsView file
    680archivedAt: null, L681: metadata: { ...(metadata || {}) }, L682: };
    Low
    Weak Crypto

    Package source references weak cryptographic algorithms.

    src/harness/prompt-compressor.jsView on unpkg · L680
    src/lib/mcp-oauth.jsView file
    30export const _deps = { L31: fetch: (...a) => globalThis.fetch(...a), L32: fs: fsDefault, ... L37: openBrowser: defaultOpenBrowser, L38: spawn: (...a) => spawn(...a), L39: now: () => Date.now(), ... L43: warn: (msg) => { L44: if (!process.env.VITEST) process.stderr.write(msg); L45: },
    High
    Same File Env Network Execution

    A single source file combines environment access, network access, and code or shell execution; review context before blocking.

    src/lib/mcp-oauth.jsView on unpkg · L30
    30export const _deps = { L31: fetch: (...a) => globalThis.fetch(...a), L32: fs: fsDefault, ... L37: openBrowser: defaultOpenBrowser, L38: spawn: (...a) => spawn(...a), L39: now: () => Date.now(), ... L43: warn: (msg) => { L44: if (!process.env.VITEST) process.stderr.write(msg); L45: },
    High
    Command Output Exfiltration

    Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

    src/lib/mcp-oauth.jsView on unpkg · L30
    src/commands/init.jsView file
    58L59: 通过本地 ComfyUI 服务(默认 http://localhost:8188)生成 AI 图像。 L60: ... L99: L100: const COMFYUI_URL = process.env.COMFYUI_URL || "http://localhost:8188"; L101: const POLL_INTERVAL_MS = 2000; ... L118: res.on("end", () => { L119: const data = Buffer.concat(dataChunks).toString("utf8"); L120: try { L121: resolve({ status: res.statusCode, body: JSON.parse(data) }); L122: } catch { ... L235: ? workflow
    High
    Sandbox Evasion Gated Capability

    Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

    src/commands/init.jsView on unpkg · L58
    src/commands/update.jsView file
    2import semver from "semver"; L3: import { execSync } from "node:child_process"; L4: import { checkForUpdates } from "../lib/version-checker.js"; ... L10: /** L11: * A version that is safe to interpolate into `npm install -g chainlesschain@<v>`. L12: * The version reaching selfUpdateCli already comes from version-checker (gated by
    High
    Runtime Package Install

    Package source invokes a package manager install command at runtime.

    src/commands/update.jsView on unpkg · L2

    Findings

    1 Critical7 High5 Medium9 Low
    CriticalPrevious Version Dangerous Deltasrc/runtime/agent-core.js
    HighInstall Time Lifecycle Scriptspackage.json
    HighChild Processsrc/auth/npm-auth.js
    HighShellsrc/runtime/agent-core.js
    HighSame File Env Network Executionsrc/lib/mcp-oauth.js
    HighCommand Output Exfiltrationsrc/lib/mcp-oauth.js
    HighSandbox Evasion Gated Capabilitysrc/commands/init.js
    HighRuntime Package Installsrc/commands/update.js
    MediumAmbiguous Install Lifecycle Scriptpackage.json
    MediumDynamic Requirescripts/postinstall.mjs
    MediumNetwork
    MediumEnvironment Vars
    MediumStructural Risk Force Deep Review
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowEvalsrc/lib/plugin-ecosystem.js
    LowWeak Cryptosrc/harness/prompt-compressor.js
    LowFilesystem
    LowObfuscated
    LowHigh Entropy Strings
    LowTelemetry
    LowUrl Strings