registry  /  nolimit-agent  /  1.0.332

nolimit-agent@1.0.332

Advanced email sender

AI Security Review

scanned 1d ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review; source fingerprint signature matched known malicious package; routed for review
Trigger
User runs nolimit CLI commands such as web --setup, web, sms, oauth, contacts, or dkim after install.
Impact
Can facilitate spam/phishing workflows and collect account contacts when the operator supplies credentials or OAuth approval.
Mechanism
User-invoked bulk messaging, contact extraction, and webmail DOM automation
Policy narrative
On install, the package prompts for an EULA and may create a Windows bin shim; these are not themselves an attack. After explicit CLI use, the obfuscated app supports bulk SMTP/SMS sending, OAuth token storage, contact extraction from Graph/Google/IMAP, and a local Chrome extension that injects a webmail sending panel into active mail sessions.
Rationale
This is not clean because the published package contains substantial dangerous agent-like messaging and contact-harvesting capability, but the risky behavior appears gated behind explicit CLI commands rather than unconsented lifecycle execution. The install hooks do not establish persistence, exfiltrate credentials, or mutate foreign AI-agent control surfaces.
Evidence
package.jsonscripts/preinstall.jsscripts/postinstall.js.ad/x0.js.ad/x12.js.ad/web-command.jssrc/web-panel/ws.js~/.nolimit/eula.jsonnpm global prefix/nolimit.cmd~/.nolimit/activation.json./smtps.txt./extracted/./dkim/Chrome extension directory under user home
Network endpoints7
graph.microsoft.comoauth2.googleapis.com/device/codeoauth2.googleapis.com/tokenpeople.googleapis.comdns.google/resolvesmtp.gmail.comsmtp.office365.com

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json declares install hooks and an obfuscated CLI main at .ad/x0.js
  • CLI implements bulk email/SMS sending via nodemailer and provider APIs in .ad/x0.js
  • CLI can collect contacts/mail recipients through Microsoft Graph, Google People, and IMAP in .ad/x12.js
  • web-command creates a Chrome extension with <all_urls> permission and localhost WebSocket injection, but only via nolimit web --setup
  • src/web-panel/ws.js injects a sending panel into active webmail pages and automates compose/send DOM actions
Evidence against
  • scripts/preinstall.js is an interactive EULA and only writes ~/.nolimit/eula.json on acceptance
  • scripts/postinstall.js only creates a Windows nolimit.cmd shim after resolving npm prefix
  • No lifecycle hook writes Claude/Codex/Cursor/MCP/agent control surfaces
  • No install-time credential harvesting or network exfiltration found
  • Dangerous extension setup and sending/contact features are user-invoked CLI flows
Behavioral surface
Source
ChildProcessFilesystemShell
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 22.5 KB of source

Source & flagged code

6 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.preinstall = node scripts/preinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
src/web-panel/ws.jsView file
269contains invisible/control Unicode U+202A (left-to-right embedding) const sendBtn = document.querySelector('[data-tooltip="Send <U+202A>(Ctrl-Enter)<U+202C>"]') ||
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

src/web-panel/ws.jsView on unpkg · L269
scripts/postinstall.jsView file
matchType = normalized_sha256 matchedPackage = nolimit-agent@1.0.327 matchedPath = scripts/postinstall.js matchedIdentity = npm:bm9saW1pdC1hZ2VudA:1.0.327 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

scripts/postinstall.jsView on unpkg
matchType = malicious_source_fingerprint_signature signature = 97ad344d2ec43431 signatureType = suspicious_hashes sourceLabel = final_verdict:malicious matchedPackage = nolimit-agent@1.0.327 matchedPath = scripts/postinstall.js matchedIdentity = npm:bm9saW1pdC1hZ2VudA:1.0.327 similarity = 1.000 shingleOverlap = 2 summary = package final verdict is malicious
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

scripts/postinstall.jsView on unpkg

Findings

1 Critical3 High3 Medium4 Low
CriticalTrojan Source Unicodesrc/web-panel/ws.js
HighInstall Time Lifecycle Scriptspackage.json
HighKnown Malware Source Similarityscripts/postinstall.js
HighKnown Malware Source Fingerprint Signaturescripts/postinstall.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings