registry  /  volute  /  0.46.0

volute@0.46.0

CLI for creating and managing self-modifying AI minds powered by the Claude Agent SDK

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious install-time or import-time attack surface was found. The package intentionally creates and runs AI-agent minds with broad permissions and generated hooks, which is a first-party agent lifecycle risk rather than covert malware.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
explicit volute setup/mind runtime/extension commands
Impact
User-created minds and extensions may execute commands and access local/network resources by design.
Mechanism
first-party AI-agent runtime with generated hooks and permissive SDK execution
Rationale
Static inspection shows dangerous AI-agent capabilities, hooks, child process use, and package installation are part of explicit Volute setup/runtime features, not unconsented npm lifecycle mutation or covert exfiltration. Warn is appropriate for first-party agent control-surface risk, but publish blocking is not supported by source facts.
Evidence
package.jsondist/cli.jsdist/daemon.jsdist/chunk-JO5IO4FH.jsdist/chunk-JZ62SYWR.jstemplates/_base/.init/.local/hooks/wake-context.shtemplates/claude/.init/.claude/settings.jsontemplates/claude/src/agent.tstemplates/codex/src/agent.ts
Network endpoints4
volute.systems127.0.0.1localhostopenrouter.ai/api/v1/embeddings

Decision evidence

public snapshot
AI called this Suspicious at 84.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • templates/claude/src/agent.ts runs Claude SDK with permissionMode bypassPermissions and allowDangerouslySkipPermissions.
  • templates/codex/src/agent.ts resumes Codex threads with sandboxMode danger-full-access and networkAccessEnabled true.
  • templates/claude/.init/.claude/settings.json installs a SessionStart command hook in generated mind templates.
  • dist/chunk-JO5IO4FH.js supports user-invoked extension npm install, but uses --ignore-scripts.
Evidence against
  • package.json has no preinstall/install/postinstall; prepare is lefthook install for dev/git lifecycle.
  • dist/cli.js only dispatches explicit CLI commands and localhost daemon extension commands.
  • Network use is package-aligned: localhost daemon, npm update flow, volute.systems account/cloud APIs, OpenRouter embedding config.
  • templates/_base/.init/.local/hooks/wake-context.sh is a benign empty hook stub with comments only.
  • No credential harvesting or exfiltration to unrelated endpoints found in inspected source.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 188 file(s), 2.08 MB of source, external domains: 127.0.0.1, api.telegram.org, discord.com, github.com, openrouter.ai, registry.npmjs.org, restic.net, slack.com, svelte.dev, volute.systems, www.apple.com, www.w3.org

Source & flagged code

11 flagged · loading source
dist/chunk-JZ62SYWR.jsView file
9// [redacted].ts L10: import { execFileSync } from "child_process"; L11: var slog = logger_default.child("sandbox");
High
Child Process

Package source references child process execution.

dist/chunk-JZ62SYWR.jsView on unpkg · L9
dist/backup-TST5C2YN.jsView file
369commands: { L370: init: { description: "Configure and initialize the backup repository", run: initCmd.execute }, L371: create: { description: "Run a backup now", run: createCmd.execute },
High
Shell

Package source references shell execution.

dist/backup-TST5C2YN.jsView on unpkg · L369
dist/chunk-JO5IO4FH.jsView file
matchType = previous_version_dangerous_delta matchedPackage = volute@0.40.2 matchedIdentity = npm:dm9sdXRl:0.40.2 similarity = 0.617 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/chunk-JO5IO4FH.jsView on unpkg
108Cross-file remote execution chain: dist/chunk-JO5IO4FH.js spawns dist/src-OJHARHTF.js; helper contains network access plus dynamic code execution. L108: // [redacted]-manager.ts L109: import { execFile as execFile2, spawn as spawnChild } from "child_process"; L110: import { ... L132: try { L133: const res = await fetch(`http://127.0.0.1:${port}/health`, { L134: signal: AbortSignal.timeout(2e3) ... L136: if (!res.ok) return { ok: false }; L137: const data = await res.json(); L138: return { ok: true, name: data.name }; ... L228: this.stream = createWriteStream(this.path); L229: oldStream.end(); L230: }
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/chunk-JO5IO4FH.jsView on unpkg · L108
936try { L937: const { getSleepManagerIfReady: getSleepManagerIfReady2 } = await import("./sleep-manager-G6TXSDP7.js"); L938: const sleepMgr = getSleepManagerIfReady2();
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/chunk-JO5IO4FH.jsView on unpkg · L936
dist/chunk-CDPBTTZO.jsView file
11// [redacted]-install.ts L12: import { execFile } from "child_process"; L13: import { mkdirSync, writeFileSync } from "fs"; ... L37: if (opts?.host) args.push("--host", opts.host); L38: const logPath = resolve(homedir(), ".volute", "system", "daemon.log"); L39: return `<?xml version="1.0" encoding="UTF-8"?> ... L84: const voluteBin = resolveVoluteBin(); L85: const platform = process.platform; L86: if (platform === "darwin") { ... L90: try { L91: await execFileAsync("launchctl", ["bootout", `${uid}/${LAUNCHD_PLIST_LABEL}`]); L92: } catch {
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/chunk-CDPBTTZO.jsView on unpkg · L11
dist/daemon.jsView file
623); L624: const daemonToken = process.env.VOLUTE_DAEMON_TOKEN; L625: if (!daemonToken) { ... L632: ...process.env, L633: VOLUTE_DAEMON_URL: `http://${daemonLoopback()}:${daemonPort}`, L634: VOLUTE_DAEMON_TOKEN: daemonToken, ... L638: }; L639: const child = spawn(process.execPath, [builtinBridge], spawnOpts); L640: let lastStderr = "";
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/daemon.jsView on unpkg · L623
632...process.env, L633: VOLUTE_DAEMON_URL: `http://${daemonLoopback()}:${daemonPort}`, L634: VOLUTE_DAEMON_TOKEN: daemonToken, ... L638: }; L639: const child = spawn(process.execPath, [builtinBridge], spawnOpts); L640: let lastStderr = ""; L641: child.stdout?.pipe(logStream); L642: child.stderr?.on("data", (chunk) => { L643: logStream.write(chunk); L644: lastStderr = chunk.toString().trim();
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/daemon.jsView on unpkg · L632
7381const [cmd, args] = await wrapForIsolation("npm", ["install"], mindName); L7382: await exec(cmd, args, { L7383: cwd: variantDir, ... L7390: const msg = e instanceof Error ? e.message : String(e); L7391: return c.json({ error: `npm install failed: ${msg}` }, 500); L7392: }
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/daemon.jsView on unpkg · L7381
dist/skills/dreaming/scripts/wake-context-dreams.shView file
path = [redacted]-context-dreams.sh kind = build_helper sizeBytes = 1180 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

dist/skills/dreaming/scripts/wake-context-dreams.shView on unpkg
templates/_base/.init/.local/hooks/wake-context.shView file
path = templates/_base/.init/.local/hooks/wake-context.sh kind = payload_in_excluded_dir sizeBytes = 421 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

templates/_base/.init/.local/hooks/wake-context.shView on unpkg

Findings

1 Critical7 High6 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/chunk-JO5IO4FH.js
HighChild Processdist/chunk-JZ62SYWR.js
HighShelldist/backup-TST5C2YN.js
HighSame File Env Network Executiondist/daemon.js
HighCommand Output Exfiltrationdist/daemon.js
HighCross File Remote Execution Contextdist/chunk-JO5IO4FH.js
HighRuntime Package Installdist/daemon.js
HighPayload In Excluded Dirtemplates/_base/.init/.local/hooks/wake-context.sh
MediumDynamic Requiredist/chunk-JO5IO4FH.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/chunk-CDPBTTZO.js
MediumShips Build Helperdist/skills/dreaming/scripts/wake-context-dreams.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings