registry  /  tdm-sdk  /  0.0.5-beta

tdm-sdk@0.0.5-beta

DaOS SDK — autonomous agents, encrypted vault, x402 payments, Solana/EVM wallets, and a CLI dashboard for building monetizable agent systems

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `tdm mcp`/`tdm mcp setup` or the explicit `tdm connect` CLI flow.
Impact
A user-invoked command can extend an MCP client's project configuration and make the package's local runtime available.
Mechanism
Writes or updates project `.mcp.json` with a bundled MCP server command.
Rationale
Not malicious: no lifecycle execution or concrete covert attack chain was found. Warn because the package deliberately mutates an MCP configuration and registers a local agent runtime when the user invokes setup/connect.
Evidence
package.jsondist/bin/cli.cjsdist/index.cjsdist/gateway-auth.cjs.mcp.json

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/bin/cli.cjs` implements `tdm mcp` setup that creates or updates a project `.mcp.json`.
  • The CLI `connect` flow also invokes MCP project configuration setup.
  • The generated MCP entry launches the bundled `tdm mcp serve` runtime for an MCP client.
Evidence against
  • `package.json` has no `preinstall`, `install`, `postinstall`, or `prepare` lifecycle hook.
  • MCP configuration mutation is documented and reached through explicit CLI commands, not package import or installation.
  • No clipboard API identifiers, raw `eval`, or `new Function` were found in shipped JS; the clipboard finding is a false positive.
  • `dist/gateway-auth.cjs` dynamic `child_process` loading supports local vault/Windows ACL handling, not clipboard replacement.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 54 file(s), 11.7 MB of source, external domains: 127.0.0.1, api.binance.com, api.coinbase.com, api.deepseek.com, api.example.com, api.mainnet.solana.com, backpack.app, brave.com, cdn.example.com, clob.polymarket.com, custom-gateway.io, docs.todealmarket.com, github.com, glow.app, json-schema.org, mainnet.base.org, mainnet.helius-rpc.com, metamask.io, nightly.app, notes.example.com, openrouter.ai, phantom.app, rabby.io, reactjs.org, solflare.com, t.me, tdm.todealmarket.com, todealmarket.com, trustwallet.com, twitter.com, wa.me, wallet.coinbase.com, www.facebook.com, www.linkedin.com, www.w3.org, yourplugin.com
Oversized source lightweight scan
dist/bin/cli.cjs3.01 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsCryptoHighEntropyStringsUrlStringsapi.example.comcdn.example.commainnet.helius-rpc.comnotes.example.comtdm.todealmarket.com

Source & flagged code

6 flagged · loading source
dist/gateway-auth.cjsView file
355success: zod.z.boolean(), L356: data: zod.z.unknown().optional(), L357: error: zod.z.object({ ... L472: import('fs/promises'), L473: import('child_process') L474: ]); ... L497: } L498: if (process.platform !== "win32") { L499: const { fs } = await loadNodeApis(); ... L510: } L511: const hardenToggle = process.env["TDM_WINDOWS_ACL_HARDEN"]?.trim().toLowerCase(); L512: const aclHardeningEnabled = hardenToggle === void 0 || hardenToggle === "" || hardenToggle === "1" || hardenToggle === "true" || hardenToggle === "on";
Critical
Clipboard Crypto Hijack

Source reads and rewrites clipboard contents matching cryptocurrency wallet addresses.

dist/gateway-auth.cjsView on unpkg · L355
2L3: var zod = require('zod'); L4: var util = require('util');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/gateway-auth.cjsView on unpkg · L2
dist/index.cjsView file
Trigger-reachable chain: manifest.main -> dist/index.cjs Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.cjsView on unpkg
examples/protocol-first/python_authorize.pyView file
path = examples/protocol-first/python_authorize.py kind = build_helper sizeBytes = 623 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

examples/protocol-first/python_authorize.pyView on unpkg
dist/bin/cli.cjsView file
path = dist/bin/cli.cjs kind = oversized_source_file sizeBytes = 3159719 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/bin/cli.cjsView on unpkg
path = dist/bin/cli.cjs kind = oversized_cli_entrypoint sizeBytes = 3159719 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

dist/bin/cli.cjsView on unpkg

Findings

2 Critical1 High7 Medium4 Low
CriticalClipboard Crypto Hijackdist/gateway-auth.cjs
CriticalTrigger Reachable Dangerous Capabilitydist/index.cjs
HighOversized Source Filedist/bin/cli.cjs
MediumDynamic Requiredist/gateway-auth.cjs
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumShips Build Helperexamples/protocol-first/python_authorize.py
MediumOversized Cli Entrypointdist/bin/cli.cjs
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings