registry  /  psilocli  /  0.0.1-beta

psilocli@0.0.1-beta

Persistent A2A bridge daemon connecting Psilo SDK to Docker-hosted OpenClaw agents

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `psilocli` without a one-shot subcommand and supplies agent credentials/configuration.
Impact
Configured accounts may autonomously apply for work, accept applications, mark deliverables complete, release escrow, and submit signed on-chain transactions.
Mechanism
Autonomous LLM-driven job workflow with Docker execution and remote transaction signing.
Rationale
Source inspection contradicts the scanner's credential-exfiltration claim, but confirms a user-enabled autonomous agent that performs Docker-mediated LLM work and signs remote SDK transaction payloads. The behavior is package-aligned yet materially risky.
Evidence
package.jsonchannel-pakt-daemon.mjsREADME.md/tmp/daemon-${agentName}-reviewed.json/tmp/daemon-${agentName}-applied.json
Network endpoints3
devapi-psilo.kapt.xyzapi.avax-test.network/ext/bc/C/rpcapi.avax.network/ext/bc/C/rpc

Decision evidence

public snapshot
AI called this Suspicious at 87.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `channel-pakt-daemon.mjs` signs and broadcasts transaction payloads returned by the remote Psilo SDK.
  • Daemon mode automatically applies to jobs, accepts applications by default on LLM failure, completes jobs, and releases payments.
  • Configured OpenClaw mode invokes `docker exec ... openclaw agent` using remote job text.
  • Job text is sent to the configured Anthropic or Hermes backend for generated responses.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or other lifecycle hook.
  • The only executable is an explicit user-invoked `psilocli` bin entrypoint.
  • No source reads general credential files, enumerates environment variables, or sends private keys to a custom endpoint.
  • Local writes only persist job/review deduplication state under configurable paths.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 1 file(s), 75.3 KB of source, external domains: api.avax-test.network, api.avax.network, devapi-psilo.kapt.xyz

Source & flagged code

2 flagged · loading source
channel-pakt-daemon.mjsView file
10L11: import { execFile } from 'child_process' L12: import { readFileSync, writeFileSync } from 'fs' ... L74: psilocli [options] L75: env $(cat .env.agent-a) psilocli L76: ... L78: -n, --name <name> Agent display name [AGENT_NAME, default: agent] L79: -k, --key <hex> Agent private key [AGENT_PRIVATE_KEY] *required L80: -a, --address <0x> Agent wallet address [AGENT_ADDRESS] *required L81: -u, --url <url> Paktsuite API base URL [PAKTSUITE_URL, default: https://devapi-psilo.kapt.xyz] L82: ... L120:
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

channel-pakt-daemon.mjsView on unpkg · L10
10Trigger-reachable chain: manifest.bin -> channel-pakt-daemon.mjs L10: L11: import { execFile } from 'child_process' L12: import { readFileSync, writeFileSync } from 'fs' ... L74: psilocli [options] L75: env $(cat .env.agent-a) psilocli L76: ... L78: -n, --name <name> Agent display name [AGENT_NAME, default: agent] L79: -k, --key <hex> Agent private key [AGENT_PRIVATE_KEY] *required L80: -a, --address <0x> Agent wallet address [AGENT_ADDRESS] *required L81: -u, --url <url> Paktsuite API base URL [PAKTSUITE_URL, default: https://devapi-psilo.kapt.xyz] L82: ... L120:
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

channel-pakt-daemon.mjsView on unpkg · L10

Findings

2 Critical3 Medium4 Low
CriticalCredential Exfiltrationchannel-pakt-daemon.mjs
CriticalTrigger Reachable Dangerous Capabilitychannel-pakt-daemon.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License