registry  /  vanexa-agent  /  1.1.15

vanexa-agent@1.1.15

Sovereign AI Agent Desktop Daemon

AI Security Review

scanned 12h ago · by lpm-firewall-ai

After explicit pairing and daemon start, the package connects to a fixed relay and transmits its complete local configuration. That configuration includes the user-supplied LLM API key, while the same relay can issue tasks and relax local execution controls.

Static reason
No blocking static signals were detected.
Trigger
User runs `vanexa-agent pair` followed by daemon start, or `vanexa-agent start`.
Impact
Credential theft and remote execution of shell, file, browser, and forged-tool actions on the paired host.
Mechanism
API-key exfiltration to relay plus relay-controlled task execution and access escalation.
Attack narrative
The daemon serializes and sends `loadConfig()` to the fixed Hanazaki relay immediately after connecting; the configuration contains the API key saved by the CLI. The relay is also treated as an authority for task requests, approvals, workspace paths, and `grantAllAccess`. It can therefore obtain credentials and drive a shell-capable agent, including persisted dynamically imported tools, without a distinct authenticated control channel.
Rationale
This is concrete credential exfiltration and remote-control behavior, not merely a dormant capability. The lack of install hooks reduces install-time risk but does not mitigate the explicit daemon attack chain.
Evidence
package.jsonsrc/config.jssrc/daemon.jssrc/tools/terminalExec.jssrc/tools/toolForge.jssrc/tools/registry.js
Network endpoints2
wss://vanexa-agent-relay.hanazaki542.workers.dev/ws/daemon/{sessionId}vanexa-ai-proxy.hanazaki542.workers.dev

Decision evidence

public snapshot
AI called this Malicious at 95.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `src/daemon.js` sends full `loadConfig()` to the relay on every daemon connection.
  • `src/config.js` stores the user API key in that config and fixes relay traffic to `hanazaki542.workers.dev`.
  • `src/daemon.js` accepts relay `config_update` messages that can set `grantAllAccess` and workspace paths.
  • `src/daemon.js` executes relay-delivered task requests; `src/tools/terminalExec.js` runs shell commands.
  • `src/tools/toolForge.js` persists LLM-provided JavaScript; `src/tools/registry.js` dynamically imports it.
Evidence against
  • `package.json` has no preinstall/install/postinstall hook; `prepublishOnly` only chmods the CLI.
  • Execution begins only after explicit `pair`, `start`, or CLI commands.
  • The nested `vanexa-agent-1.0.0.tgz` is a small prior source package, not an opaque executable payload.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 60 file(s), 206 KB of source, external domains: api.anthropic.com, api.deepseek.com, api.openai.com, api.pollinations.ai, dashscope.aliyuncs.com, generativelanguage.googleapis.com, image.pollinations.ai, search.yahoo.com, vanexa-agent-fallback.yourdomain.com, vanexa-agent-relay.hanazaki542.workers.dev, vanexa-agent-relay.workers.dev, vanexa-ai-proxy.hanazaki542.workers.dev

Source & flagged code

6 flagged · loading source
src/tools/registry.jsView file
74const modulePath = "file://" + path.join(CUSTOM_TOOLS_DIR, file); L75: const imported = await import(modulePath + `?t=${Date.now()}`); // Cache busting for hot-reload L76: // Find the exported tool object
Medium
Dynamic Require

Package source references dynamic require/import behavior.

src/tools/registry.jsView on unpkg · L74
src/tools/executeProceduralMedia.jsView file
2import path from 'path'; L3: import { exec } from 'child_process'; L4: import util from 'util'; ... L27: const { code, language } = args; L28: let outputFilePath = args.outputFileName.replace(/^~\//, os.homedir() + '/'); L29: outputFilePath = path.resolve(outputFilePath); ... L67: if (fs.existsSync(scriptPath)) fs.unlinkSync(scriptPath); L68: return { success: false, error: `[AUTO-CORRECTION REQUIRED] Python Execution Error: ${pyError.message || pyError.stderr}\nPlease fix the math/syntax and retry.` }; L69: }
Medium
Unsafe Vm Context

Package source executes code through a VM context API.

src/tools/executeProceduralMedia.jsView on unpkg · L2
install.shView file
path = install.sh kind = build_helper sizeBytes = 6517 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

install.shView on unpkg
vanexa-agent-1.0.0.tgzView file
path = vanexa-agent-1.0.0.tgz kind = high_entropy_blob sizeBytes = 17797 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

vanexa-agent-1.0.0.tgzView on unpkg
path = vanexa-agent-1.0.0.tgz kind = compressed_blob sizeBytes = 17797 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

vanexa-agent-1.0.0.tgzView on unpkg
path = vanexa-agent-1.0.0.tgz kind = nested_archive_needs_inspection sizeBytes = 17797 magicHex = [redacted]
Low
Nested Archive Needs Inspection

Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.

vanexa-agent-1.0.0.tgzView on unpkg

Findings

1 High6 Medium6 Low
HighShips High Entropy Blobvanexa-agent-1.0.0.tgz
MediumDynamic Requiresrc/tools/registry.js
MediumUnsafe Vm Contextsrc/tools/executeProceduralMedia.js
MediumNetwork
MediumShips Build Helperinstall.sh
MediumShips Compressed Blobvanexa-agent-1.0.0.tgz
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNested Archive Needs Inspectionvanexa-agent-1.0.0.tgz