registry  /  daedalus-cli  /  1.35.0

daedalus-cli@1.35.0

Local-first AI coding CLI with embedded model router, multi-agent orchestration, and codebase indexing

AI Security Review

scanned 4d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is an AI coding CLI with user-invoked shell, file, web, MCP, screenshot, and eval tools, plus local config/session storage.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Install creates config dir; runtime CLI use activates model routing and tools
Impact
Benign local-first coding assistant behavior; no unconsented exfiltration or control-surface mutation identified
Mechanism
Package-aligned CLI automation primitives with approval gates
Rationale
Static inspection shows suspicious primitives are core CLI features and are gated or user/config driven. The install hook is limited to creating a config directory and no credential theft, hidden payload, exfiltration, or unconsented AI-agent control mutation was found.
Evidence
package.jsonscripts/postinstall.jsdist/index.jsdist/config/index.jsdist/session/manager.jsdist/tools/builtin/terminal.jsdist/tools/builtin/eval.jsdist/tools/builtin/files.jsdist/tools/mcp/stdio.jsdist/tools/mcp/manager.js~/.daedalus~/.daedalus/config.json~/.daedalus/sessions~/.daedalus/memory~/.daedalus/indexing~/.daedalus/screenshots
Network endpoints11
registry.npmjs.org/daedalus-cli/latesthtml.duckduckgo.com/html/registry.modelcontextprotocol.iolocalhost:1234localhost:11434localhost:8080localhost:8000api.openai.com/v1api.groq.com/openai/v1openrouter.ai/api/v1api.anthropic.com/v1

Decision evidence

public snapshot
AI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json defines postinstall: node scripts/postinstall.js
  • dist/tools/builtin/terminal.js, eval.js, files.js expose shell/eval/write primitives at runtime
  • dist/index.js startup performs update check and codebase indexing
  • dist/tools/mcp/manager.js can add MCP server configs from registry
Evidence against
  • scripts/postinstall.js only creates ~/.daedalus; no network, spawn, or payload drop
  • Terminal removes sensitive env keys and gates install commands unless approved
  • eval_code requires interactive TTY approval before executing snippets
  • Network use is package-aligned: model endpoints, update check, web/MCP tools
  • File writes are CLI tool/session/config behavior under project or ~/.daedalus
  • No credential harvesting, persistence outside config, destructive install hook, or exfiltration found
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 106 file(s), 790 KB of source, external domains: api.anthropic.com, api.groq.com, api.openai.com, api.primary.ai, api.secondary.ai, bgill55.github.io, example.com, html.duckduckgo.com, openrouter.ai, registry.modelcontextprotocol.io, registry.npmjs.org

Source & flagged code

9 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/tools/mcp/stdio.test.jsView file
2import { EventEmitter } from 'events'; L3: vi.mock('child_process', () => ({ L4: spawn: vi.fn(),
High
Child Process

Package source references child process execution.

dist/tools/mcp/stdio.test.jsView on unpkg · L2
dist/tools/builtin/files.jsView file
191encoding: 'utf8', L192: shell: true, L193: });
High
Shell

Package source references shell execution.

dist/tools/builtin/files.jsView on unpkg · L191
187const tsconfigRoot = path.dirname(tsconfigPath); L188: const runTsc = () => spawnSync('npx', ['tsc', '--noEmit', '--skipLibCheck'], { L189: cwd: tsconfigRoot,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/tools/builtin/files.jsView on unpkg · L187
dist/tools/executor.jsView file
9try { L10: const mod = await import(modulePath); L11: implementationCache.set(modulePath, mod);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/tools/executor.jsView on unpkg · L9
dist/tools/builtin/screenshot.jsView file
10package = daedalus-cli; repositoryIdentity = daedalus; dependency = puppeteer-core L10: try { L11: puppeteer = (await import('puppeteer-core')).default; L12: }
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

dist/tools/builtin/screenshot.jsView on unpkg · L10
Daedalus.batView file
path = Daedalus.bat kind = build_helper sizeBytes = 439 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

Daedalus.batView on unpkg
dist/agents/orchestrator.test.jsView file
matchType = previous_version_dangerous_delta matchedPackage = daedalus-cli@1.34.18 matchedIdentity = npm:ZGFlZGFsdXMtY2xp:1.34.18 similarity = 0.990 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/agents/orchestrator.test.jsView on unpkg

Findings

1 Critical5 High6 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/agents/orchestrator.test.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/tools/mcp/stdio.test.js
HighShelldist/tools/builtin/files.js
HighCopied Package Dependency Bridgedist/tools/builtin/screenshot.js
HighRuntime Package Installdist/tools/builtin/files.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/tools/executor.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build HelperDaedalus.bat
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings