From 229258d4e5c3994f743371df57f225f4422f26e8 Mon Sep 17 00:00:00 2001 From: Chisanan232 Date: Sun, 5 Jul 2026 17:02:53 +0800 Subject: [PATCH] =?UTF-8?q?=F0=9F=94=92=20(runtime):=20Replace=20claimable?= =?UTF-8?q?=20.io=20install=20host=20with=20canonical=20agent-assembly.com?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The missing-binary INSTALL_HINT told users to fetch a script from the unregistered (NXDOMAIN, claimable) get.agent-assembly.io and pipe it to a shell — a supply-chain RCE vector. Point at the canonical Cloudflare host https://agent-assembly.com/install.sh, byte-matching python-sdk's hint. Completes AAASM-4122 for node-sdk. Co-Authored-By: Claude Opus 4.8 (1M context) Claude-Session: https://claude.ai/code/session_01R7vqjjo5nrebYNt8WnCNbz --- src/runtime.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/runtime.ts b/src/runtime.ts index cab0a1f0..936b0318 100644 --- a/src/runtime.ts +++ b/src/runtime.ts @@ -39,7 +39,7 @@ export const INSTALL_HINT: string = [ "agent-assembly runtime not found.", " Install with: pnpm add agent-assembly", " Or manually: brew install ai-agent-assembly/tap/aasm", - " curl -fsSL https://get.agent-assembly.io | sh", + " curl -fsSL https://agent-assembly.com/install.sh | sh", ].join("\n"); /**