registry  /  merrymen  /  0.1.3

merrymen@0.1.3

Self-hosted autonomous trading agents for Robinhood Chain — your keys, your caps, hard on-chain permission walls, write-your-own strategies.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is an explicit self-hosted trading agent that runs only through its lifecycle build hook or user-invoked CLI/worker commands.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
npm prepare builds the local dashboard; user runs merrymen onboard/start or enables configured integrations.
Impact
Can make user-authorized trading requests and execute user-supplied local strategy code, but no stealth persistence, harvesting, or exfiltration was found.
Mechanism
Local trading-worker execution with user-configured RPC, Telegram, and Anthropic integrations.
Rationale
Source inspection shows package-aligned build, local trading, and opt-in integration behavior rather than a concrete malicious chain. Dynamic strategy loading is restricted to explicitly user-managed files and does not retrieve or execute remote payloads.
Evidence
package.jsoncli/build.mjscli/bin.mjsworker/src/strategies/custom.tsworker/src/index.tsworker/src/settings.tsworker/src/telegram/service.ts~/.merrymen/settings.json~/.merrymen/grant.json~/.merrymen/strategies
Network endpoints5
rpc.mainnet.chain.robinhood.comrpc.testnet.chain.robinhood.comapi.telegram.orgrialto-trade-api.rialto.xyzblue-api.morpho.org/graphql

Decision evidence

public snapshot
AI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json uses only a prepare hook, which runs cli/build.mjs to build the bundled dashboard.
    • cli/build.mjs invokes the package-local Next binary and exits successfully on build failure; it does not fetch or modify user secrets.
    • cli/bin.mjs performs network calls only for configured chain RPC, Telegram diagnostics, and explicit user commands.
    • worker/src/strategies/custom.ts imports only a user-selected, name-validated strategy from ~/.merrymen/strategies.
    • Writes and deletions are limited to the package's ~/.merrymen state, including explicit kill-switch grant removal.
    • web/.next is a generated Next.js build artifact, explaining the oversized vendor chunk hint.
    Behavioral surface
    Source
    ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 63 file(s), 304 KB of source, external domains: api.pimlico.io, api.telegram.org, blue-api.morpho.org, cdn.robinhood.com, docs.rialto.xyz, explorer.testnet.chain.robinhood.com, faucet.testnet.chain.robinhood.com, rialto-trade-api.rialto.xyz, robinhoodchain.blockscout.com, rpc.mainnet.chain.robinhood.com, rpc.testnet.chain.robinhood.com

    Source & flagged code

    5 flagged · loading source
    worker/src/strategies/custom.tsView file
    135const note = opts?.onNote ?? ((l, m) => console.log(`[custom:${l}] ${m}`)); L136: const importer = opts?.importer ?? ((url) => import(url)); L137: const ctx = buildStrategyCtx();
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    worker/src/strategies/custom.tsView on unpkg · L135
    cli/bin.mjsView file
    20L21: import { spawn, spawnSync } from "node:child_process"; L22: import { copyFileSync, existsSync, mkdirSync, readFileSync, rmSync, writeFileSync } from "node:fs"; ... L32: // Where the USER's data lives — settings, grant, ledger, strategies. L33: const HOME = process.env.MERRYMEN_HOME ?? path.join(os.homedir(), ".merrymen"); L34: const SETTINGS = path.join(HOME, "settings.json"); ... L41: L42: const RPC_MAINNET = "https://rpc.mainnet.chain.robinhood.com"; L43: const RPC_TESTNET = "https://rpc.testnet.chain.robinhood.com"; ... L56: try { L57: return JSON.parse(readFileSync(file, "utf8").replace(/^/, "")); L58: } catch {
    High
    Sandbox Evasion Gated Capability

    Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

    cli/bin.mjsView on unpkg · L20
    matchType = previous_version_dangerous_delta matchedPackage = merrymen@0.1.0 matchedIdentity = npm:bWVycnltZW4:0.1.0 similarity = 0.873 summary = stored previous version shares package body but lacks this dangerous source file
    High
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

    cli/bin.mjsView on unpkg
    web/.next/server/vendor-chunks/next.jsView file
    path = web/.next/server/vendor-chunks/next.js kind = payload_in_excluded_dir sizeBytes = 6855946 magicHex = [redacted]
    High
    Payload In Excluded Dir

    Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

    web/.next/server/vendor-chunks/next.jsView on unpkg
    path = web/.next/server/vendor-chunks/next.js kind = oversized_source_file sizeBytes = 6855946 magicHex = [redacted]
    High
    Oversized Source File

    Package contains source files above the static scanner size ceiling.

    web/.next/server/vendor-chunks/next.jsView on unpkg

    Findings

    4 High4 Medium5 Low
    HighSandbox Evasion Gated Capabilitycli/bin.mjs
    HighPayload In Excluded Dirweb/.next/server/vendor-chunks/next.js
    HighOversized Source Fileweb/.next/server/vendor-chunks/next.js
    HighPrevious Version Dangerous Deltacli/bin.mjs
    MediumDynamic Requireworker/src/strategies/custom.ts
    MediumNetwork
    MediumEnvironment Vars
    MediumStructural Risk Force Deep Review
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings