registry  /  shellular  /  0.0.40

shellular@0.0.40

Shellular CLI — host your dev environment for remote access from your phone.

AI Security Review

scanned 8d ago · by lpm-firewall-ai

No confirmed malicious attack surface; the high-risk primitives are the advertised function of a remote dev-environment host. Remote access is activated by running the CLI and pairing/approving a client, not by install-time execution.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs shellular or shellular start and pairs/approves a client.
Impact
Approved remote clients can operate within the configured workspace and spawn shells as documented.
Mechanism
Package-aligned remote development host with PTY, filesystem, proxy, agent bridge, and daemon self-update controls.
Rationale
Static inspection shows a disclosed remote-access CLI with no lifecycle hook, import-time payload fetch, credential harvesting, or unaligned exfiltration. The shell, filesystem, agent hooks, network relay, and self-update paths are risky but package-aligned and user-invoked with documented pairing/approval controls.
Evidence
package.jsonreadme.mddist/main.js~/.shellular/config.json~/.shellular/clients.json~/.shellular/shellular-<machineId>.e2ee~/.shellular/hooks/shellular-notify.mjs~/.claude/settings.json
Network endpoints3
wss://api.shellular.devregistry.npmjs.org/shellularshellular.dev

Decision evidence

public snapshot
AI called this Clean at 82.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/main.js exposes user-invoked remote terminal, filesystem, proxy, ports, and AI agent controls after pairing/approval.
  • dist/main.js registers an additive Claude Code notification hook at runtime under the user's Claude settings when AgentsManager starts.
  • dist/main.js can self-update in daemon mode via npm/npx when a connected approved client requests HOST_UPDATE.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks.
  • readme.md clearly describes remote terminal, filesystem, proxy, agent, QR pairing, and default unknown-client approval behavior.
  • dist/main.js uses default relay wss://api.shellular.dev and out-of-band QR key exchange with libsodium encryption.
  • dist/main.js filesystem operations are scoped through safePath(rootDir, requestedPath) and reject traversal outside --dir.
  • No confirmed eval/Function/remote asset decode-and-execute pattern found in inspected source.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
CopyleftLicense
scanned 2 file(s), 594 KB of source, external domains: claude.ai, cursor.com, gh.io, opencode.ai, raw.githubusercontent.com, registry.npmjs.org

Source & flagged code

5 flagged · loading source
dist/main.jsView file
26L27: // package.json L28: var package_default = { ... L37: prepublishOnly: "pnpm run build", L38: "ci:publish": "pnpm publish --access public", L39: "try-run": "pnpm run build && node dist/main.js" ... L127: // src/utils.ts L128: import { spawnSync } from "child_process"; L129: import fs from "fs"; ... L147: } L148: const shell2 = process2.env.SHELL || "/bin/sh"; L149: const result = spawnSync(shell2, ["-lc", `which ${command}`], {
Critical
Remote Asset Decode Execute

Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.

dist/main.jsView on unpkg · L26
Trigger-reachable chain: manifest.main -> dist/main.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/main.jsView on unpkg
127// src/utils.ts L128: import { spawnSync } from "child_process"; L129: import fs from "fs";
High
Child Process

Package source references child process execution.

dist/main.jsView on unpkg · L127
407}, L408: PowerShell: { L409: os: ["windows"],
High
Shell

Package source references shell execution.

dist/main.jsView on unpkg · L407
26L27: // package.json L28: var package_default = { ... L37: prepublishOnly: "pnpm run build", L38: "ci:publish": "pnpm publish --access public", L39: "try-run": "pnpm run build && node dist/main.js" ... L127: // src/utils.ts L128: import { spawnSync } from "child_process"; L129: import fs from "fs"; ... L147: } L148: const shell2 = process2.env.SHELL || "/bin/sh"; L149: const result = spawnSync(shell2, ["-lc", `which ${command}`], {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/main.jsView on unpkg · L26

Findings

2 Critical2 High3 Medium6 Low
CriticalRemote Asset Decode Executedist/main.js
CriticalTrigger Reachable Dangerous Capabilitydist/main.js
HighChild Processdist/main.js
HighShelldist/main.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/main.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License