registry  /  spareai  /  0.20.3

spareai@0.20.3

Sell your spare AI capacity — the SpareAI provider CLI turns idle Claude / Codex / Gemini subscription quota into per-request income.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Installing the package triggers remote-content installation into multiple AI-agent control surfaces without user confirmation. It also attempts package-manager installs during npm postinstall.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review
Trigger
`npm install spareai` or global installation executes `postinstall`.
Impact
A registry package can modify Claude Code, Codex, and OpenClaw behavior by placing remotely fetched instructions in their user-level skill directories.
Mechanism
Remote AI-agent skill injection via npm lifecycle hook.
Policy narrative
The package's automatic postinstall fetches a remotely controlled skill document and writes it into three separate user-level AI-agent instruction/extension locations. This is unconsented mutation of foreign, broad agent control surfaces and can alter future agent behavior independently of the npm command. A second postinstall hook also invokes system package managers to install yt-dlp.
Rationale
Source inspection confirms a concrete lifecycle-triggered remote payload write into Claude Code, Codex, and OpenClaw directories. This meets the blocking policy regardless of the package's stated relay functionality.
Evidence
package.jsonscripts/install-skill.cjsscripts/install-ytdlp.cjsdist/relay/upstream/claude-api.js~/.claude/commands/clawmoney.md~/.codex/skills/clawmoney/SKILL.md~/.openclaw/skills/clawmoney/SKILL.md
Network endpoints1
clawmoney.ai/skill.md

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for policy block
  • `package.json` runs `postinstall` automatically.
  • `scripts/install-skill.cjs` fetches remote `https://clawmoney.ai/skill.md`.
  • Postinstall writes fetched content into `~/.claude`, `~/.codex`, and `~/.openclaw`.
  • `scripts/install-ytdlp.cjs` invokes brew, pip, apt, or winget during install.
  • `dist/relay/upstream/claude-api.js` reads local Claude/OpenClaw OAuth credentials for relay use.
Evidence against
  • The relay credential flow is activated by provider/daemon runtime, not import.
  • Relay executor attempts to isolate spawned CLI work in an empty sandbox.
  • The skill installer checks for a YAML-style prefix before writing.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 263 file(s), 1.15 MB of source, external domains: 127.0.0.1, accounts.google.com, api.anthropic.com, api.bnbot.ai, api.github.com, api.iconify.design, api.kimi.com, api.minimax.io, api.minimaxi.com, api.z.ai, auth.kimi.com, auth.openai.com, chatgpt.com, chromewebstore.google.com, clawmoney.ai, cloudcode-pa.googleapis.com, coding.dashscope.aliyuncs.com, creator.douyin.com, creator.xiaohongshu.com, daily-cloudcode-pa.sandbox.googleapis.com, gemini.google.com, generativelanguage.googleapis.com, github.com, keepachangelog.com, labs.google, m.tiktok.com, mainnet.base.org, myaccount.google.com, oauth2.googleapis.com, pay.clawmoney.ai, platform.claude.com, semver.org, twitter.com, witness.bnbot.ai, www.bilibili.com, www.googleapis.com, www.tiktok.com, www.w3.org, www.youtube.com, x.com

Source & flagged code

15 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/install-skill.cjs && node scripts/install-ytdlp.cjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/install-skill.cjs && node scripts/install-ytdlp.cjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/ui/companion.jsView file
9// for the same reason). L10: import { spawn, spawnSync } from 'node:child_process'; L11: import fs from 'node:fs';
High
Child Process

Package source references child process execution.

dist/ui/companion.jsView on unpkg · L9
9// for the same reason). L10: import { spawn, spawnSync } from 'node:child_process'; L11: import fs from 'node:fs'; ... L17: import { spareaiDir } from '../utils/home.js'; L18: const __dirname = path.dirname(fileURLToPath(import.meta.url)); L19: // Companion source shipped in the npm package: dist/ui/ -> ../../companion ... L22: const RUN_DIR = path.join(spareaiDir(), 'companion'); L23: const COMPANION_FILES = ['main.js', 'package.json', 'tray-icon.png', 'icon.png', 'icon.icns', 'preload.js']; L24: function copyCompanionFiles() { ... L43: function electronBinaryPath() { L44: if (process.platform === 'darwin') { L45: const dist = path.join(RUN_DIR, 'node_modules', 'electron', 'dist');
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/ui/companion.jsView on unpkg · L9
dist/commands/tweet.jsView file
15stdio: 'inherit', L16: shell: true, L17: });
High
Shell

Package source references shell execution.

dist/commands/tweet.jsView on unpkg · L15
dist/relay/upstream/claude-bootstrap.jsView file
284const childEnv = { L285: ...process.env, L286: ANTHROPIC_BASE_URL: `http://127.0.0.1:${port}`, L287: NO_PROXY: "127.0.0.1,localhost", ... L295: // users into a lower safety setting without consent. L296: claudeChild = spawn("claude", ["-p", "hi"], { L297: env: childEnv,
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/relay/upstream/claude-bootstrap.jsView on unpkg · L284
scripts/probe-claude-api.mjsView file
11L12: import { execFileSync } from "node:child_process"; L13: import { readFileSync, writeFileSync, existsSync, mkdirSync } from "node:fs"; ... L16: import { randomUUID } from "node:crypto"; L17: import { ProxyAgent, setGlobalDispatcher } from "undici"; L18: ... L22: const proxyUrl = L23: process.env.HTTPS_PROXY || L24: process.env.https_proxy || ... L46: L47: const CLAWMONEY_DIR = join(homedir(), ".spareai"); L48: const FINGERPRINT_FILE = join(CLAWMONEY_DIR, "claude-fingerprint.json");
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

scripts/probe-claude-api.mjsView on unpkg · L11
matchType = normalized_sha256 matchedPackage = clawmoney@0.18.1 matchedPath = scripts/probe-claude-api.mjs matchedIdentity = npm:Y2xhd21vbmV5:0.18.1 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

scripts/probe-claude-api.mjsView on unpkg
dist/utils/awal.jsView file
14return new Promise((resolve, reject) => { L15: const child = spawn('npx', ['awal', ...finalArgs], { L16: stdio: ['inherit', 'pipe', 'pipe'],
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/utils/awal.jsView on unpkg · L14
scripts/install-market-launchd.shView file
path = scripts/install-market-launchd.sh kind = build_helper sizeBytes = 6898 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/install-market-launchd.shView on unpkg
companion/icon.icnsView file
path = companion/icon.icns kind = high_entropy_blob sizeBytes = 714079 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

companion/icon.icnsView on unpkg
dist/relay/executor.jsView file
matchType = normalized_sha256 matchedPackage = clawmoney@0.18.1 matchedPath = dist/relay/executor.js matchedIdentity = npm:Y2xhd21vbmV5:0.18.1 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/relay/executor.jsView on unpkg
dist/task/skills/youtube/_ytdlp.jsView file
matchType = normalized_sha256 matchedPackage = clawmoney@0.18.1 matchedPath = dist/task/skills/youtube/_ytdlp.js matchedIdentity = npm:Y2xhd21vbmV5:0.18.1 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/task/skills/youtube/_ytdlp.jsView on unpkg
dist/commands/antigravity.jsView file
matchType = normalized_sha256 matchedPackage = clawmoney@0.18.1 matchedPath = dist/commands/antigravity.js matchedIdentity = npm:Y2xhd21vbmV5:0.18.1 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/commands/antigravity.jsView on unpkg
dist/relay/upstream/chatgpt-web.jsView file
matchType = normalized_sha256 matchedPackage = clawmoney@0.18.1 matchedPath = dist/relay/upstream/chatgpt-web.js matchedIdentity = npm:Y2xhd21vbmV5:0.18.1 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/relay/upstream/chatgpt-web.jsView on unpkg

Findings

1 Critical12 High5 Medium5 Low
CriticalCredential Exfiltrationscripts/probe-claude-api.mjs
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/ui/companion.js
HighShelldist/commands/tweet.js
HighSame File Env Network Executiondist/relay/upstream/claude-bootstrap.js
HighSandbox Evasion Gated Capabilitydist/ui/companion.js
HighRuntime Package Installdist/utils/awal.js
HighShips High Entropy Blobcompanion/icon.icns
HighKnown Malware Source Similaritydist/relay/executor.js
HighKnown Malware Source Similaritydist/task/skills/youtube/_ytdlp.js
HighKnown Malware Source Similarityscripts/probe-claude-api.mjs
HighKnown Malware Source Similaritydist/commands/antigravity.js
HighKnown Malware Source Similaritydist/relay/upstream/chatgpt-web.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperscripts/install-market-launchd.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings