[AAASM-4122] 🔒 (install): Replace claimable .io install host with canonical agent-assembly.com#212
Conversation
…ll.sh Same claimable-.io-host fix as runtime.py, for the _install.py fast-fail hint. Refs AAASM-4122 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01R7vqjjo5nrebYNt8WnCNbz
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
|
Senior review — APPROVE-READY (comment only, not an approval)Verdict: LGTM. Clean, correctly-scoped fix for the HIGH claimable-domain RCE (AAASM-4122). 1. CI: Green — 19/19 checks pass. No failures to triage. 2. Scope vs ticket: Full coverage of the shipped-SDK portion of AAASM-4122. Both offending sites replaced:
3. Side effects: None. Install-hint string constants only — no code path, control flow, or public API changed. 4. FE: N/A. Local validation (worktree @ 4b19067): pre-commit gate green — isort / autoflake / black / mypy all Passed; Independence: touches only Note the ticket's standing recommendation to defensively register — Claude Code |



Description
The Python SDK's runtime install hint fetched a shell script from
get.agent-assembly.ioand piped it straight into a shell. Bothget.agent-assembly.ioand the apexagent-assembly.ioresolve to NXDOMAIN — the.iodomain is unregistered and claimable. Any third party could registeragent-assembly.io, host a malicious script atget., and gain arbitrary code execution on every user/CI that follows the hint (classic claimable-domain supply-chain footgun; no checksum or signature gate).This PR repoints the hint at the canonical
https://agent-assembly.com/install.sh, which is registered (Cloudflare) and whose installer SHA256-verifies release tarballs againstSHA256SUMS. The brew-tap andpip installchannels already listed in the hint (fixed under AAASM-4072) are unchanged and remain the preferred first options.Two shipped modules emit this hint:
agent_assembly/runtime.py(INSTALL_HINT)agent_assembly/_install.py(INSTALL_HINT)The examples repo carries the same stale hint and is fixed in a separate PR under this ticket (
ai-agent-assembly/agent-assembly-examples).Type of Change
Breaking Changes
Related Issues
Testing
String-literal-only change to the printed install hint. Existing tests assert on the
INSTALL_HINTsymbol (not the literal URL) and continue to pass:pytest test/ -k "install or runtime"→ 74 passed, 10 skipped.ruff checkon the touched files is clean;ruff format --checkreports already-formatted; pre-commit (ruff/black/isort/mypy) passed on the touched files. (Repo-wideruff/mypybaseline noise from generated*_pb2.pyistubs and the optional-unbuiltagent_assembly._corenative module is pre-existing and unrelated.)Checklist