registry  /  daedalus-cli  /  1.38.1

daedalus-cli@1.38.1

Local-first AI coding CLI with embedded model router, multi-agent orchestration, and codebase indexing

AI Security Review

scanned 30m ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is an AI coding CLI whose risky primitives are exposed as user-facing runtime tools rather than hidden install-time behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
npm install runs postinstall; CLI runtime activates tools after user starts daedalus
Impact
Creates/updates Daedalus state and can execute commands or access network during normal CLI use; no evidence of unconsented exfiltration or control hijack
Mechanism
first-party CLI config creation and user-invoked agent tooling
Rationale
Static inspection shows a capable AI coding CLI with expected file, shell, web, model-router, and MCP functionality, but the install hook is limited to creating its own config directory and no hidden exfiltration or unconsented foreign agent-control mutation was found. Scanner findings map to package-aligned runtime capabilities rather than concrete malicious behavior.
Evidence
package.jsonscripts/postinstall.jsdist/index.jsdist/tools/builtin/terminal.jsdist/tools/builtin/files.jsdist/tools/builtin/web.jsdist/update-check.jsdist/tools/mcp/manager.jsdist/tools/mcp/stdio.jsdist/config/index.js~/.daedalus~/.daedalus/config.json~/.daedalus/indexing/*.sqlite~/.daedalus/screenshots/*.png.daedalusrc
Network endpoints11
registry.npmjs.org/daedalus-cli/latesthtml.duckduckgo.com/html/registry.modelcontextprotocol.iolocalhost:1234/v1localhost:11434/v1localhost:8080/v1localhost:8000/v1api.openai.com/v1api.groq.com/openai/v1openrouter.ai/api/v1api.anthropic.com/v1

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • package.json defines postinstall: node scripts/postinstall.js
  • dist/index.js embeds an agent prompt granting terminal, file edit, web, and MCP capabilities
  • dist/tools/builtin/terminal.js exposes user-invoked shell execution
  • dist/tools/mcp/manager.js can add MCP server configs from registry results
  • dist/tools/builtin/web.js and dist/update-check.js perform network fetches
Evidence against
  • scripts/postinstall.js only creates ~/.daedalus and does not modify other agent configs
  • No install-time code exfiltrates env, reads secrets, downloads payloads, or executes remote code
  • Network use is package-aligned: update checks, model/router endpoints, web tool, MCP registry
  • Shell/eval/file-write primitives are CLI tools invoked during agent use, with some approval and env sanitization gates
  • MCP config mutation is first-party Daedalus config via explicit commands, not a foreign/broad control surface
  • No native binaries, bytecode loaders, obfuscated payloads, or destructive import-time behavior found
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 106 file(s), 827 KB of source, external domains: api.anthropic.com, api.groq.com, api.openai.com, api.primary.ai, api.secondary.ai, bgill55.github.io, example.com, html.duckduckgo.com, openrouter.ai, registry.modelcontextprotocol.io, registry.npmjs.org

Source & flagged code

9 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/tools/mcp/stdio.test.jsView file
2import { EventEmitter } from 'events'; L3: vi.mock('child_process', () => ({ L4: spawn: vi.fn(),
High
Child Process

Package source references child process execution.

dist/tools/mcp/stdio.test.jsView on unpkg · L2
dist/tools/builtin/files.jsView file
matchType = previous_version_dangerous_delta matchedPackage = daedalus-cli@1.38.0 matchedIdentity = npm:ZGFlZGFsdXMtY2xp:1.38.0 similarity = 0.961 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/tools/builtin/files.jsView on unpkg
191encoding: 'utf8', L192: shell: true, L193: });
High
Shell

Package source references shell execution.

dist/tools/builtin/files.jsView on unpkg · L191
187const tsconfigRoot = path.dirname(tsconfigPath); L188: const runTsc = () => spawnSync('npx', ['tsc', '--noEmit', '--skipLibCheck'], { L189: cwd: tsconfigRoot,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/tools/builtin/files.jsView on unpkg · L187
dist/tools/executor.jsView file
9try { L10: const mod = await import(modulePath); L11: implementationCache.set(modulePath, mod);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/tools/executor.jsView on unpkg · L9
dist/tools/builtin/screenshot.jsView file
10package = daedalus-cli; repositoryIdentity = daedalus; dependency = puppeteer-core L10: try { L11: puppeteer = (await import('puppeteer-core')).default; L12: }
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

dist/tools/builtin/screenshot.jsView on unpkg · L10
Daedalus.batView file
path = Daedalus.bat kind = build_helper sizeBytes = 439 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

Daedalus.batView on unpkg

Findings

1 Critical5 High6 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/tools/builtin/files.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/tools/mcp/stdio.test.js
HighShelldist/tools/builtin/files.js
HighCopied Package Dependency Bridgedist/tools/builtin/screenshot.js
HighRuntime Package Installdist/tools/builtin/files.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/tools/executor.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build HelperDaedalus.bat
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings