registry  /  daedalus-cli  /  1.38.3

daedalus-cli@1.38.3

Local-first AI coding CLI with embedded model router, multi-agent orchestration, and codebase indexing

AI Security Review

scanned 27m ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package has a minimal first-party postinstall config-directory creation and broad user-invoked AI coding CLI capabilities.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
npm install creates config directory; user runs daedalus for runtime tools
Impact
Creates ~/.daedalus and may later edit files/run commands only through explicit CLI workflows; no covert install/import-time attack found.
Mechanism
first-party config setup and user-invoked local coding-agent tooling
Rationale
Static source inspection found risky but expected AI coding CLI primitives, with install-time behavior limited to first-party ~/.daedalus directory creation. There is no concrete evidence of exfiltration, remote payload execution, destructive behavior, dependency confusion, or unconsented mutation of a foreign/broad AI-agent control surface.
Evidence
package.jsonscripts/postinstall.jsdist/index.jsdist/update-check.jsdist/config/index.jsdist/model.jsdist/tools/executor.jsdist/tools/builtin/files.jsdist/tools/builtin/terminal.jsdist/tools/mcp/stdio.jsdist/tools/mcp/http.js~/.daedalus~/.daedalus/config.json~/.daedalus/indexing/<projectHash>.sqlite
Network endpoints6
registry.npmjs.org/daedalus-cli/latestregistry.modelcontextprotocol.ioapi.openai.com/v1api.groq.com/openai/v1openrouter.ai/api/v1api.anthropic.com/v1

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json defines postinstall lifecycle: node scripts/postinstall.js
  • scripts/postinstall.js creates ~/.daedalus during install
  • dist/index.js enables --auto-approve/-y mode for runtime agent tools when user invokes CLI
Evidence against
  • scripts/postinstall.js only imports fs/os/path and creates the first-party ~/.daedalus config directory
  • No install-time network, child_process, shell-profile mutation, credential access, or foreign AI-agent control writes found
  • dist/tools/builtin/terminal.js strips common secret env vars and prompts before package install commands unless explicitly allowed
  • dist/model.js prompts before dangerous runtime tools terminal/write_file unless auto-approve is enabled by user/config
  • Network endpoints are package-aligned: npm update check, configured model endpoints, MCP transports, and web_search/fetch_url tools
  • Dynamic imports in dist/tools/executor.js load built-in tool modules from static TOOL_IMPLEMENTATIONS mappings
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 106 file(s), 827 KB of source, external domains: api.anthropic.com, api.groq.com, api.openai.com, api.primary.ai, api.secondary.ai, bgill55.github.io, example.com, html.duckduckgo.com, openrouter.ai, registry.modelcontextprotocol.io, registry.npmjs.org

Source & flagged code

9 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/tools/mcp/stdio.test.jsView file
2import { EventEmitter } from 'events'; L3: vi.mock('child_process', () => ({ L4: spawn: vi.fn(),
High
Child Process

Package source references child process execution.

dist/tools/mcp/stdio.test.jsView on unpkg · L2
dist/tools/builtin/files.jsView file
matchType = previous_version_dangerous_delta matchedPackage = daedalus-cli@1.38.0 matchedIdentity = npm:ZGFlZGFsdXMtY2xp:1.38.0 similarity = 0.931 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/tools/builtin/files.jsView on unpkg
191encoding: 'utf8', L192: shell: true, L193: });
High
Shell

Package source references shell execution.

dist/tools/builtin/files.jsView on unpkg · L191
187const tsconfigRoot = path.dirname(tsconfigPath); L188: const runTsc = () => spawnSync('npx', ['tsc', '--noEmit', '--skipLibCheck'], { L189: cwd: tsconfigRoot,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/tools/builtin/files.jsView on unpkg · L187
dist/tools/executor.jsView file
9try { L10: const mod = await import(modulePath); L11: implementationCache.set(modulePath, mod);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/tools/executor.jsView on unpkg · L9
dist/tools/builtin/screenshot.jsView file
10package = daedalus-cli; repositoryIdentity = daedalus; dependency = puppeteer-core L10: try { L11: puppeteer = (await import('puppeteer-core')).default; L12: }
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

dist/tools/builtin/screenshot.jsView on unpkg · L10
Daedalus.batView file
path = Daedalus.bat kind = build_helper sizeBytes = 439 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

Daedalus.batView on unpkg

Findings

1 Critical5 High6 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/tools/builtin/files.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/tools/mcp/stdio.test.js
HighShelldist/tools/builtin/files.js
HighCopied Package Dependency Bridgedist/tools/builtin/screenshot.js
HighRuntime Package Installdist/tools/builtin/files.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/tools/executor.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build HelperDaedalus.bat
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings