registry  /  chainlesschain  /  0.162.154

chainlesschain@0.162.154

Superseded by 0.162.162 (npm latest). Please upgrade: npm i -g chainlesschain@latest

CLI for ChainlessChain - install, configure, and manage your personal AI management system

AI Security Review

scanned 3d ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Install runs a first-party skill-pack generator that writes agent/CLI extension files into the ChainlessChain desktop user-data skills directory. This is an agent extension lifecycle risk, but I did not find unconsented mutation of a foreign/broad AI-agent control surface or exfiltration.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
npm install of chainlesschain@0.162.154; later explicit skill invocation
Impact
Creates package-owned agent skill files whose handlers may execute chainlesschain commands when invoked by the product/user.
Mechanism
postinstall-generated first-party CLI skill handlers
Rationale
This package should be warned rather than blocked: install-time first-party agent extension setup creates lifecycle risk, but inspected source does not show concrete malicious behavior or broad/foreign control-surface hijacking. Runtime network, shell, update, and MCP capabilities appear package-aligned and user/config driven.
Evidence
package.jsonscripts/postinstall.mjssrc/lib/skill-packs/generator.jssrc/lib/skill-packs/schema.jssrc/lib/paths.jssrc/lib/update-notice.jssrc/commands/update.jssrc/harness/mcp-client.js<Electron userData>/skills/<cli-pack>/SKILL.md<Electron userData>/skills/<cli-pack>/handler.js~/.chainlesschain/update-check.json
Network endpoints4
registry.npmjs.org/chainlesschain/latestwww.npmjs.com/package/chainlesschain/v/github.com/chainlesschain/chainlesschain.gitwww.chainlesschain.com

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json defines postinstall: node scripts/postinstall.mjs
  • scripts/postinstall.mjs imports src/lib/skill-packs/generator.js during npm install
  • src/lib/skill-packs/generator.js writes SKILL.md and handler.js under getElectronUserDataDir()/skills
  • generated handlers can run chainlesschain subcommands via spawnSync shell:true after argument metacharacter filtering
  • src/lib/skill-packs/schema.js advertises agent/CLI skill packs with file/command capability descriptions
Evidence against
  • postinstall does not fetch remote code or run npm/package installs
  • postinstall only generates first-party chainlesschain skill pack files and prints optional SQLite note
  • shell execution paths are in generated user-invoked handlers, not immediate install-time execution
  • src/harness/mcp-client.js spawns configured MCP servers or fetches configured URLs at runtime, not hardcoded exfiltration
  • update command validates semver before npm install -g chainlesschain@version
  • No credential harvesting or hardcoded attacker endpoint found in inspected lifecycle/entry/hot files
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 818 file(s), 14.9 MB of source, external domains: 127.0.0.1, accounts.google.com, api-push.vivo.com.cn, api.anthropic.com, api.bochaai.com, api.deepseek.com, api.example.com, api.exchangerate-api.com, api.github.com, api.minimax.chat, api.mistral.ai, api.moonshot.cn, api.openai.com, api.push.apple.com, api.push.oppomobile.com, api.sandbox.push.apple.com, api.search.brave.com, api.tavily.com, api.telegram.org, api.xmpush.xiaomi.com, ark.cn-beijing.volces.com, cdn.jsdelivr.net, cdnjs.cloudflare.com, cli.github.com, cli.vuejs.org, dashscope.aliyuncs.com, dav.jianguoyun.com, developer.mozilla.org, devtools.vuejs.org, docs.chainlesschain.com, evomap.chainlesschain.com, example.com, fcm.googleapis.com, generativelanguage.googleapis.com, github.com, graph.microsoft.com, html.duckduckgo.com, link.vuejs.org, local.chainlesschain, login.microsoftonline.com, mathiasbynens.be, matrix.org, modelcontextprotocol.io, nas.example, node.example.com, oauth-login.cloud.huawei.com, oauth2.googleapis.com, openidconnect.googleapis.com, oss-cn-hangzhou.aliyuncs.com, pinia.vuejs.org

Source & flagged code

12 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
src/auth/npm-auth.jsView file
6L7: import { execSync } from "child_process"; L8: import { logger } from "../lib/logger.js";
High
Child Process

Package source references child process execution.

src/auth/npm-auth.jsView on unpkg · L6
src/runtime/agent-core.jsView file
1254// Sensitive-file write guard (Claude-Code 2.1.160 parity): shell startup L1255: // files / PowerShell profiles / git+husky hooks execute code on the user's L1256: // next shell or commit — even otherwise-permitted edit flows confirm first.
High
Shell

Package source references shell execution.

src/runtime/agent-core.jsView on unpkg · L1254
src/lib/plugin-ecosystem.jsView file
86severity: REVIEW_SEVERITY.BLOCKER, L87: message: "Use of eval() — code injection risk", L88: penalty: 40,
Low
Eval

Package source references a known benign dynamic code generation pattern.

src/lib/plugin-ecosystem.jsView on unpkg · L86
scripts/postinstall.mjsView file
6try { L7: const { generateCliPacks } = await import( L8: "../src/lib/skill-packs/generator.js"
Medium
Dynamic Require

Package source references dynamic require/import behavior.

scripts/postinstall.mjsView on unpkg · L6
src/harness/prompt-compressor.jsView file
680archivedAt: null, L681: metadata: { ...(metadata || {}) }, L682: };
Low
Weak Crypto

Package source references weak cryptographic algorithms.

src/harness/prompt-compressor.jsView on unpkg · L680
src/lib/mcp-oauth.jsView file
30export const _deps = { L31: fetch: (...a) => globalThis.fetch(...a), L32: fs: fsDefault, ... L37: openBrowser: defaultOpenBrowser, L38: spawn: (...a) => spawn(...a), L39: now: () => Date.now(), ... L43: warn: (msg) => { L44: if (!process.env.VITEST) process.stderr.write(msg); L45: },
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

src/lib/mcp-oauth.jsView on unpkg · L30
30export const _deps = { L31: fetch: (...a) => globalThis.fetch(...a), L32: fs: fsDefault, ... L37: openBrowser: defaultOpenBrowser, L38: spawn: (...a) => spawn(...a), L39: now: () => Date.now(), ... L43: warn: (msg) => { L44: if (!process.env.VITEST) process.stderr.write(msg); L45: },
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

src/lib/mcp-oauth.jsView on unpkg · L30
src/commands/init.jsView file
58L59: 通过本地 ComfyUI 服务(默认 http://localhost:8188)生成 AI 图像。 L60: ... L99: L100: const COMFYUI_URL = process.env.COMFYUI_URL || "http://localhost:8188"; L101: const POLL_INTERVAL_MS = 2000; ... L118: res.on("end", () => { L119: const data = Buffer.concat(dataChunks).toString("utf8"); L120: try { L121: resolve({ status: res.statusCode, body: JSON.parse(data) }); L122: } catch { ... L235: ? workflow
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

src/commands/init.jsView on unpkg · L58
src/commands/update.jsView file
2import semver from "semver"; L3: import { execSync } from "node:child_process"; L4: import { checkForUpdates } from "../lib/version-checker.js"; ... L10: /** L11: * A version that is safe to interpolate into `npm install -g chainlesschain@<v>`. L12: * The version reaching selfUpdateCli already comes from version-checker (gated by
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

src/commands/update.jsView on unpkg · L2
src/harness/mcp-client.jsView file
matchType = previous_version_dangerous_delta matchedPackage = chainlesschain@0.162.151 matchedIdentity = npm:Y2hhaW5sZXNzY2hhaW4:0.162.151 similarity = 0.925 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/harness/mcp-client.jsView on unpkg

Findings

1 Critical7 High5 Medium9 Low
CriticalPrevious Version Dangerous Deltasrc/harness/mcp-client.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processsrc/auth/npm-auth.js
HighShellsrc/runtime/agent-core.js
HighSame File Env Network Executionsrc/lib/mcp-oauth.js
HighCommand Output Exfiltrationsrc/lib/mcp-oauth.js
HighSandbox Evasion Gated Capabilitysrc/commands/init.js
HighRuntime Package Installsrc/commands/update.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirescripts/postinstall.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvalsrc/lib/plugin-ecosystem.js
LowWeak Cryptosrc/harness/prompt-compressor.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings