registry  /  daedalus-cli  /  1.35.9

daedalus-cli@1.35.9

Local-first AI coding CLI with embedded model router, multi-agent orchestration, and codebase indexing

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. Risky primitives are aligned with an AI coding CLI and require user CLI/tool invocation rather than hidden install/import execution.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
npm install postinstall or user-invoked daedalus CLI/tool actions
Impact
Expected local CLI behavior; no confirmed credential harvesting, exfiltration, persistence, destructive install hook, or unconsented agent control mutation.
Mechanism
benign config-directory creation and user-directed coding tools
Rationale
Static inspection shows dangerous capabilities, but they are core CLI features with explicit runtime triggers and safeguards, while the install hook only creates a config directory. I found no hidden payload, credential collection, exfiltration path, persistence, or lifecycle AI-agent control-surface mutation.
Evidence
package.jsonscripts/postinstall.jsdist/index.jsdist/update-check.jsdist/tools/builtin/terminal.jsdist/tools/builtin/files.jsdist/tools/builtin/eval.jsdist/tools/mcp/stdio.js
Network endpoints6
registry.npmjs.org/daedalus-cli/latestregistry.modelcontextprotocol.ioapi.openai.com/v1api.groq.com/openai/v1openrouter.ai/api/v1api.anthropic.com/v1

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with high false-positive risk.
Evidence for block
  • package.json has postinstall: node scripts/postinstall.js
  • dist/tools/builtin/terminal.js provides user-invoked shell execution
  • dist/tools/builtin/files.js can write/patch project files and run syntax/test helpers
  • dist/tools/builtin/eval.js can execute approved user code
Evidence against
  • scripts/postinstall.js only creates ~/.daedalus config directory; no network, payload download, or command execution
  • dist/index.js bin initializes normal CLI state and calls update/profile/session features, not hidden exfiltration
  • dist/tools/builtin/terminal.js strips sensitive env keys before spawned commands and gates install commands
  • dist/tools/mcp/stdio.js strips sensitive env keys and rejects shell metacharacters in configured command
  • Network endpoints are update checks, local model endpoints, provider endpoints, web/MCP tools, or user-configured URLs
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 106 file(s), 801 KB of source, external domains: api.anthropic.com, api.groq.com, api.openai.com, api.primary.ai, api.secondary.ai, bgill55.github.io, example.com, html.duckduckgo.com, openrouter.ai, registry.modelcontextprotocol.io, registry.npmjs.org

Source & flagged code

9 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/tools/mcp/stdio.test.jsView file
2import { EventEmitter } from 'events'; L3: vi.mock('child_process', () => ({ L4: spawn: vi.fn(),
High
Child Process

Package source references child process execution.

dist/tools/mcp/stdio.test.jsView on unpkg · L2
dist/tools/builtin/files.jsView file
191encoding: 'utf8', L192: shell: true, L193: });
High
Shell

Package source references shell execution.

dist/tools/builtin/files.jsView on unpkg · L191
187const tsconfigRoot = path.dirname(tsconfigPath); L188: const runTsc = () => spawnSync('npx', ['tsc', '--noEmit', '--skipLibCheck'], { L189: cwd: tsconfigRoot,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/tools/builtin/files.jsView on unpkg · L187
dist/tools/executor.jsView file
9try { L10: const mod = await import(modulePath); L11: implementationCache.set(modulePath, mod);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/tools/executor.jsView on unpkg · L9
dist/tools/builtin/screenshot.jsView file
10package = daedalus-cli; repositoryIdentity = daedalus; dependency = puppeteer-core L10: try { L11: puppeteer = (await import('puppeteer-core')).default; L12: }
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

dist/tools/builtin/screenshot.jsView on unpkg · L10
Daedalus.batView file
path = Daedalus.bat kind = build_helper sizeBytes = 439 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

Daedalus.batView on unpkg
dist/agents/orchestrator.test.jsView file
matchType = previous_version_dangerous_delta matchedPackage = daedalus-cli@1.35.8 matchedIdentity = npm:ZGFlZGFsdXMtY2xp:1.35.8 similarity = 0.990 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/agents/orchestrator.test.jsView on unpkg

Findings

1 Critical5 High6 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/agents/orchestrator.test.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/tools/mcp/stdio.test.js
HighShelldist/tools/builtin/files.js
HighCopied Package Dependency Bridgedist/tools/builtin/screenshot.js
HighRuntime Package Installdist/tools/builtin/files.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/tools/executor.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build HelperDaedalus.bat
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings