registry  /  shellular  /  0.0.41

shellular@0.0.41

Shellular CLI — host your dev environment for remote access from your phone.

AI Security Review

scanned 8d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The package is a high-capability remote development host, but the observed capabilities match its documented CLI purpose and are gated by pairing/encryption and client approval.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs shellular or shellular start/__daemon
Impact
Approved clients can operate on the selected working directory and spawn shells/agents as intended by the package.
Mechanism
remote dev relay with encrypted WebSocket, approved-client command handlers, PTY/filesystem/proxy/AI-agent features
Rationale
Static inspection confirms dangerous primitives, but they are runtime features of a documented remote dev CLI rather than install-time, import-time, or covert behavior. I found no unrelated payload fetch/decode/execute, credential harvesting, persistence beyond user-invoked daemon/startup commands, or unapproved exfiltration path.
Evidence
package.jsonreadme.mddist/main.js~/.shellular/config.json~/.shellular/clients.json~/.shellular/agents.json~/.shellular/logs/self-updates/*.log~/.claude/settings.json
Network endpoints10
wss://api.shellular.devregistry.npmjs.org/shellularopencode.ai/installclaude.ai/install.shclaude.ai/install.ps1claude.ai/install.cmdgh.io/copilot-installcursor.com/installraw.githubusercontent.com/NousResearch/hermes-agent/main/scripts/install.shraw.githubusercontent.com/NousResearch/hermes-agent/main/scripts/install.ps1

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/main.js exposes user-invoked remote terminal, filesystem, proxy, ports, sysmon, and AI-agent controls after connection.
  • dist/main.js can write ~/.shellular files, image attachments, and additive Claude hooks in ~/.claude/settings.json during CLI runtime.
  • dist/main.js includes self-update and daemon management using npm/npx/pm2 when requested by a connected approved client.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle scripts; main/bin are dist/main.js only.
  • readme.md describes the exact purpose: host a dev environment for remote access from a phone via Shellular relay.
  • Default server is wss://api.shellular.dev and registration/update endpoints are package-aligned; no unrelated exfiltration host found.
  • Scanner remote decode/execute appears noisy: base64 handling is for images/binary protocol data, with no eval/new Function/vm execution found.
  • Unknown clients default to requires-approval; foreground prompts and daemon rejects pending clients until approved.
  • Child processes are package-aligned: PTY shells, git/system probes, AI adapters, pm2 daemon, and self-update commands.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
CopyleftLicense
scanned 2 file(s), 620 KB of source, external domains: claude.ai, cursor.com, gh.io, opencode.ai, raw.githubusercontent.com, registry.npmjs.org

Source & flagged code

5 flagged · loading source
dist/main.jsView file
26L27: // package.json L28: var package_default = { ... L37: prepublishOnly: "pnpm run build", L38: "ci:publish": "pnpm publish --access public", L39: "try-run": "pnpm run build && node dist/main.js" ... L127: // src/utils.ts L128: import { spawnSync } from "child_process"; L129: import fs from "fs"; ... L147: } L148: const shell2 = process2.env.SHELL || "/bin/sh"; L149: const result = spawnSync(shell2, ["-lc", `which ${command}`], {
Critical
Remote Asset Decode Execute

Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.

dist/main.jsView on unpkg · L26
Trigger-reachable chain: manifest.main -> dist/main.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/main.jsView on unpkg
127// src/utils.ts L128: import { spawnSync } from "child_process"; L129: import fs from "fs";
High
Child Process

Package source references child process execution.

dist/main.jsView on unpkg · L127
407}, L408: PowerShell: { L409: os: ["windows"],
High
Shell

Package source references shell execution.

dist/main.jsView on unpkg · L407
26L27: // package.json L28: var package_default = { ... L37: prepublishOnly: "pnpm run build", L38: "ci:publish": "pnpm publish --access public", L39: "try-run": "pnpm run build && node dist/main.js" ... L127: // src/utils.ts L128: import { spawnSync } from "child_process"; L129: import fs from "fs"; ... L147: } L148: const shell2 = process2.env.SHELL || "/bin/sh"; L149: const result = spawnSync(shell2, ["-lc", `which ${command}`], {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/main.jsView on unpkg · L26

Findings

2 Critical2 High3 Medium6 Low
CriticalRemote Asset Decode Executedist/main.js
CriticalTrigger Reachable Dangerous Capabilitydist/main.js
HighChild Processdist/main.js
HighShelldist/main.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/main.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License