registry  /  daedalus-cli  /  1.35.3

daedalus-cli@1.35.3

Local-first AI coding CLI with embedded model router, multi-agent orchestration, and codebase indexing

AI Security Review

scanned 2d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is an AI coding CLI with expected user-invoked shell, file-editing, web, model, and MCP features; install-time behavior is limited to creating a local config directory.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
npm install runs postinstall; CLI runtime activates tools after user/model interaction
Impact
No unconsented credential exfiltration or lifecycle control-surface mutation identified
Mechanism
benign AI coding CLI capabilities with guarded shell/file/MCP operations
Rationale
Static source inspection found dangerous primitives, but they are core CLI features, user-invoked, and include relevant gates/env filtering; the postinstall hook is limited to local directory creation. No concrete malicious behavior or hidden payload was identified.
Evidence
package.jsonscripts/postinstall.jsdist/index.jsdist/tools/builtin/terminal.jsdist/tools/mcp/stdio.jsdist/tools/mcp/manager.jsdist/update-check.jsdist/tools/builtin/web.jsdist/config/index.js

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • package.json has postinstall lifecycle: node scripts/postinstall.js
  • dist/index.js embeds strong AI-agent tool-use instructions, including terminal/write_file behavior
  • dist/tools/builtin/terminal.js exposes user-invoked shell execution
  • dist/tools/mcp/manager.js can add MCP server config from registry packages
Evidence against
  • scripts/postinstall.js only creates ~/.daedalus config directory; no network or payload execution
  • dist/tools/builtin/terminal.js filters sensitive env vars and gates install commands
  • dist/tools/mcp/stdio.js sanitizes env and rejects shell metacharacters in configured command
  • Network use is package-aligned: model endpoints, npm update check, DuckDuckGo search, MCP registry
  • File writes are user-invoked CLI tools or local config/session state, not install-time takeover
  • No credential harvesting, exfiltration, persistence, destructive install action, or hidden payload found
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 106 file(s), 791 KB of source, external domains: api.anthropic.com, api.groq.com, api.openai.com, api.primary.ai, api.secondary.ai, bgill55.github.io, example.com, html.duckduckgo.com, openrouter.ai, registry.modelcontextprotocol.io, registry.npmjs.org

Source & flagged code

9 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/tools/mcp/stdio.test.jsView file
2import { EventEmitter } from 'events'; L3: vi.mock('child_process', () => ({ L4: spawn: vi.fn(),
High
Child Process

Package source references child process execution.

dist/tools/mcp/stdio.test.jsView on unpkg · L2
dist/tools/builtin/files.jsView file
191encoding: 'utf8', L192: shell: true, L193: });
High
Shell

Package source references shell execution.

dist/tools/builtin/files.jsView on unpkg · L191
187const tsconfigRoot = path.dirname(tsconfigPath); L188: const runTsc = () => spawnSync('npx', ['tsc', '--noEmit', '--skipLibCheck'], { L189: cwd: tsconfigRoot,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/tools/builtin/files.jsView on unpkg · L187
dist/tools/executor.jsView file
9try { L10: const mod = await import(modulePath); L11: implementationCache.set(modulePath, mod);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/tools/executor.jsView on unpkg · L9
dist/tools/builtin/screenshot.jsView file
10package = daedalus-cli; repositoryIdentity = daedalus; dependency = puppeteer-core L10: try { L11: puppeteer = (await import('puppeteer-core')).default; L12: }
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

dist/tools/builtin/screenshot.jsView on unpkg · L10
Daedalus.batView file
path = Daedalus.bat kind = build_helper sizeBytes = 439 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

Daedalus.batView on unpkg
dist/agents/orchestrator.test.jsView file
matchType = previous_version_dangerous_delta matchedPackage = daedalus-cli@1.36.1 matchedIdentity = npm:ZGFlZGFsdXMtY2xp:1.36.1 similarity = 0.902 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/agents/orchestrator.test.jsView on unpkg

Findings

1 Critical5 High6 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/agents/orchestrator.test.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/tools/mcp/stdio.test.js
HighShelldist/tools/builtin/files.js
HighCopied Package Dependency Bridgedist/tools/builtin/screenshot.js
HighRuntime Package Installdist/tools/builtin/files.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/tools/executor.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build HelperDaedalus.bat
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings