registry  /  nolimit-agent  /  1.0.334

nolimit-agent@1.0.334

Advanced email sender

AI Security Review

scanned 1d ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review; source fingerprint signature matched known malicious package; routed for review
Trigger
User runs the nolimit CLI/bin commands or injects/uses the web panel; install hooks only run EULA/shim setup.
Impact
Can facilitate spam/phishing campaigns and extraction of mailbox contacts from user-provided SMTP/OAuth accounts; no confirmed unconsented install-time exfiltration or AI-agent hijack.
Mechanism
bulk messaging, credential-backed mail automation, and contact harvesting tooling
Policy narrative
On install, the package prompts for an EULA and may create a Windows command shim. The real risk is runtime: the obfuscated CLI provides bulk email/SMS workflows, reads SMTP/OAuth configuration and recipient lists, can extract mailbox contacts through Graph/IMAP, writes campaign artifacts, and its web-panel script automates webmail compose/send actions against target lists. These capabilities are dangerous and abuse-prone, but the inspected lifecycle code does not silently hijack agent surfaces, persist, or exfiltrate at install time.
Rationale
Static inspection confirms dangerous spam/phishing-enabling capability, but activation is user-invoked and package-aligned rather than a concrete unconsented install-time compromise. This warrants a firewall warning, not a publish block under the provided policy.
Evidence
package.jsonscripts/preinstall.jsscripts/postinstall.js.ad/x0.jssrc/web-panel/ws.jstemplates/emails.txtphonebook/numbers.txt~/.nolimit/eula.jsonnolimit.cmd.nolimit-modeconfig.jsonsmtps.txtcontacts/extracted/dkim/

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • .ad/x0.js is heavily obfuscated CLI entrypoint and contains bulk email/SMS sending, SMTP credential use, OAuth token storage, contact extraction from Graph/IMAP, DKIM setup, and webmail automation commands.
  • src/web-panel/ws.js injects a panel into Gmail/Outlook/Yahoo/Zoho/Proton webmail pages, fills compose fields, and clicks send for configured target lists.
  • package.json install hooks run automatically; hooks are not exfiltrative, but postinstall writes a Windows global nolimit.cmd shim and preinstall records EULA acceptance under ~/.nolimit.
  • Templates and defaults are mass-mail assets: templates/emails.txt, messages.html, smtps/senders, phonebook numbers, carrier gateways.
  • .ad/x0.js and modules write extracted contacts/output folders and credential config files in the working project such as smtps.txt, contacts/, extracted/ and dkim/.
Evidence against
  • No lifecycle code found planting Claude/Codex/Cursor/MCP agent control surfaces or foreign AI-agent instructions.
  • preinstall.js only prompts an EULA when interactive and writes ~/.nolimit/eula.json; non-TTY exits cleanly.
  • postinstall.js only executes on Windows to create a package bin shim for .ad/x0.js, not persistence/autostart.
  • Observed risky network use is part of invoked SMTP/SMS/OAuth/DNS/webmail functionality rather than install-time exfiltration.
Behavioral surface
Source
ChildProcessFilesystemShell
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 22.5 KB of source

Source & flagged code

6 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.preinstall = node scripts/preinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
src/web-panel/ws.jsView file
269contains invisible/control Unicode U+202A (left-to-right embedding) const sendBtn = document.querySelector('[data-tooltip="Send <U+202A>(Ctrl-Enter)<U+202C>"]') ||
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

src/web-panel/ws.jsView on unpkg · L269
scripts/postinstall.jsView file
matchType = normalized_sha256 matchedPackage = nolimit-agent@1.0.327 matchedPath = scripts/postinstall.js matchedIdentity = npm:bm9saW1pdC1hZ2VudA:1.0.327 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

scripts/postinstall.jsView on unpkg
matchType = malicious_source_fingerprint_signature signature = 97ad344d2ec43431 signatureType = suspicious_hashes sourceLabel = final_verdict:malicious matchedPackage = nolimit-agent@1.0.327 matchedPath = scripts/postinstall.js matchedIdentity = npm:bm9saW1pdC1hZ2VudA:1.0.327 similarity = 1.000 shingleOverlap = 2 summary = package final verdict is malicious
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

scripts/postinstall.jsView on unpkg

Findings

1 Critical3 High3 Medium4 Low
CriticalTrojan Source Unicodesrc/web-panel/ws.js
HighInstall Time Lifecycle Scriptspackage.json
HighKnown Malware Source Similarityscripts/postinstall.js
HighKnown Malware Source Fingerprint Signaturescripts/postinstall.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings