registry  /  tdm-sdk  /  0.0.4-beta

tdm-sdk@0.0.4-beta

DaOS SDK — autonomous agents, encrypted vault, x402 payments, Solana/EVM wallets, and a CLI dashboard for building monetizable agent systems

AI Security Review

scanned 13h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package provides user-invoked SDK/CLI features for wallets, vault storage, plugins, and network clients without install-time execution.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Explicit import API calls or execution of the tdm CLI.
Impact
No unconsented credential exfiltration, clipboard hijack, persistence, or foreign AI-agent configuration mutation was confirmed.
Mechanism
Command-driven SDK, local vault, and signed hub/plugin tooling.
Rationale
The scanner's clipboard-hijack signal is unsupported by source inspection: matching readText/writeText calls are package filesystem abstractions, not clipboard APIs. Crypto, keyring, network, plugin, and subprocess capabilities are aligned with the advertised SDK/CLI and are explicitly invoked rather than lifecycle-triggered.
Evidence
package.jsondist/index.cjsdist/gateway-auth.cjsdist/runtime.mjsdist/bin/cli.cjs

Decision evidence

public snapshot
AI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall/prepare lifecycle hook.
    • No clipboard API or wallet-address replacement code found in dist artifacts.
    • dist/index.cjs is an export-oriented SDK entrypoint; no startup network or CLI invocation found.
    • dist/gateway-auth.cjs dynamically imports declared dependencies for keytar/crypto use.
    • dist/runtime.mjs restricts remote hub catalogs to HTTP(S) and validates install sources.
    • dist/bin/cli.cjs subprocess and network features are command-driven CLI functionality.
    Behavioral surface
    Source
    ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
    Supply chain
    HighEntropyStringsMinifiedProtestwareUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 54 file(s), 11.7 MB of source, external domains: 127.0.0.1, api.binance.com, api.coinbase.com, api.deepseek.com, api.example.com, api.mainnet.solana.com, backpack.app, brave.com, cdn.example.com, clob.polymarket.com, custom-gateway.io, docs.todealmarket.com, github.com, glow.app, json-schema.org, mainnet.base.org, mainnet.helius-rpc.com, metamask.io, nightly.app, notes.example.com, openrouter.ai, phantom.app, rabby.io, reactjs.org, solflare.com, t.me, tdm.todealmarket.com, todealmarket.com, trustwallet.com, twitter.com, wa.me, wallet.coinbase.com, www.facebook.com, www.linkedin.com, www.w3.org, yourplugin.com
    Oversized source lightweight scan
    dist/bin/cli.cjs3.01 MB file, sampled 256 KB
    FilesystemNetworkChildProcessEnvironmentVarsCryptoHighEntropyStringsUrlStringsapi.example.comcdn.example.commainnet.helius-rpc.comnotes.example.comtdm.todealmarket.com

    Source & flagged code

    6 flagged · loading source
    dist/gateway-auth.cjsView file
    355success: zod.z.boolean(), L356: data: zod.z.unknown().optional(), L357: error: zod.z.object({ ... L472: import('fs/promises'), L473: import('child_process') L474: ]); ... L497: } L498: if (process.platform !== "win32") { L499: const { fs } = await loadNodeApis(); ... L510: } L511: const hardenToggle = process.env["TDM_WINDOWS_ACL_HARDEN"]?.trim().toLowerCase(); L512: const aclHardeningEnabled = hardenToggle === void 0 || hardenToggle === "" || hardenToggle === "1" || hardenToggle === "true" || hardenToggle === "on";
    Critical
    Clipboard Crypto Hijack

    Source reads and rewrites clipboard contents matching cryptocurrency wallet addresses.

    dist/gateway-auth.cjsView on unpkg · L355
    2L3: var zod = require('zod'); L4: var util = require('util');
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    dist/gateway-auth.cjsView on unpkg · L2
    dist/index.cjsView file
    Trigger-reachable chain: manifest.main -> dist/index.cjs Reachable file contains a blocking source-risk pattern.
    Critical
    Trigger Reachable Dangerous Capability

    A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

    dist/index.cjsView on unpkg
    examples/protocol-first/python_authorize.pyView file
    path = examples/protocol-first/python_authorize.py kind = build_helper sizeBytes = 623 magicHex = [redacted]
    Medium
    Ships Build Helper

    Package ships non-JavaScript build or shell helper files.

    examples/protocol-first/python_authorize.pyView on unpkg
    dist/bin/cli.cjsView file
    path = dist/bin/cli.cjs kind = oversized_source_file sizeBytes = 3159736 magicHex = [redacted]
    High
    Oversized Source File

    Package contains source files above the static scanner size ceiling.

    dist/bin/cli.cjsView on unpkg
    path = dist/bin/cli.cjs kind = oversized_cli_entrypoint sizeBytes = 3159736 magicHex = [redacted]
    Medium
    Oversized Cli Entrypoint

    Package contains an oversized executable-looking CLI entrypoint.

    dist/bin/cli.cjsView on unpkg

    Findings

    2 Critical1 High7 Medium4 Low
    CriticalClipboard Crypto Hijackdist/gateway-auth.cjs
    CriticalTrigger Reachable Dangerous Capabilitydist/index.cjs
    HighOversized Source Filedist/bin/cli.cjs
    MediumDynamic Requiredist/gateway-auth.cjs
    MediumNetwork
    MediumEnvironment Vars
    MediumProtestware
    MediumShips Build Helperexamples/protocol-first/python_authorize.py
    MediumOversized Cli Entrypointdist/bin/cli.cjs
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings