registry  /  @bubblebrain-ai/bubble  /  0.0.30

@bubblebrain-ai/bubble@0.0.30

A terminal coding agent

AI Security Review

scanned 11d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. Dangerous primitives are aligned with an interactive terminal coding agent and require explicit CLI use, provider configuration, OAuth login, pasted image handling, or approved tool calls.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs the bubble CLI or invokes agent tools/features.
Impact
No unconsented install-time/import-time execution, credential harvesting, persistence, or hidden exfiltration identified.
Mechanism
User-invoked coding agent capabilities with approvals and provider API calls
Rationale
Static inspection shows a feature-rich coding-agent CLI with expected network, shell, file, OAuth, MCP, update, and image clipboard functionality gated by user actions rather than lifecycle execution. Scanner hits map to package-aligned behavior and no concrete malicious behavior or hidden exfiltration was found.
Evidence
package.jsondist/bin.jsdist/main.jsdist/tools/bash.jsdist/tools/server-manager.jsdist/tui-ink/image-paste.jsdist/oauth/openai-codex.jsdist/oauth/storage.jsdist/config.jsdist/tools/exa-mcp.jsdist/update/index.js
Network endpoints9
auth.openai.com/oauth/authorizeauth.openai.com/oauth/tokenlocalhost:1455/auth/callbackchatgpt.com/backend-apiapi.openai.com/v1api.anthropic.comopenrouter.ai/api/v1mcp.exa.ai/mcpregistry.npmjs.org/@bubblebrain-ai/bubble/latest

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/postinstall/prepare lifecycle hooks; only a user-invoked bin at dist/bin.js.
    • dist/bin.js only checks for Bun and spawns dist/main.js when the bubble CLI is run.
    • dist/tui-ink/image-paste.js uses execFile for clipboard/image tools and temporary resize files, not shell-string execution or persistence.
    • dist/tools/bash.js and dist/tools/server-manager.js execute user/model-requested commands behind approval/tool interfaces for a coding agent.
    • dist/oauth/openai-codex.js implements PKCE OAuth to OpenAI endpoints with state validation and local callback.
    • dist/config.js and dist/oauth/storage.js store Bubble config/auth under ~/.bubble with no evidence of exfiltration outside configured providers.
    Behavioral surface
    Source
    ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    Manifest
    NoLicense
    scanned 274 file(s), 1.79 MB of source, external domains: 127.0.0.1, api.anthropic.com, api.deepseek.com, api.fireworks.ai, api.groq.com, api.kimi.com, api.minimaxi.com, api.moonshot.ai, api.moonshot.cn, api.openai.com, api.stepfun.com, api.together.xyz, api.z.ai, ark.cn-beijing.volces.com, auth.openai.com, bubble-feedback.chengshengdeng97.workers.dev, bun.sh, chatgpt.com, dashscope.aliyuncs.com, generativelanguage.googleapis.com, mcp.exa.ai, open.bigmodel.cn, openrouter.ai, registry.npmjs.org, system-proxy-default.invalid

    Source & flagged code

    5 flagged · loading source
    dist/tui-ink/image-paste.jsView file
    9*/ L10: import { execFile } from "node:child_process"; L11: import fs from "node:fs/promises";
    High
    Child Process

    Package source references child process execution.

    dist/tui-ink/image-paste.jsView on unpkg · L9
    313try { L314: const result = await execFileAsync("powershell", ["-NoProfile", "-Command", script], { timeout: 5000 }); L315: if (!String(result.stdout).includes("OK"))
    High
    Shell

    Package source references shell execution.

    dist/tui-ink/image-paste.jsView on unpkg · L313
    dist/tools/server-manager.jsView file
    25} L26: const shell = platform() === "win32" ? "cmd.exe" : "bash"; L27: const shellArgs = platform() === "win32" ? ["/c", command] : ["-c", command]; ... L30: stdio: ["ignore", "pipe", "pipe"], L31: env: process.env, L32: detached: platform() !== "win32", ... L39: const id = `server_${String(nextServerId++).padStart(4, "0")}`; L40: const readinessUrl = input.readinessUrl ?? (input.port ? `http://localhost:${input.port}` : undefined); L41: const record = {
    High
    Same File Env Network Execution

    A single source file combines environment access, network access, and code or shell execution; review context before blocking.

    dist/tools/server-manager.jsView on unpkg · L25
    dist/oauth/openai-codex.jsView file
    3*/ L4: import { createServer } from "node:http"; L5: import { exec } from "node:child_process"; L6: import { randomBytes, createHash } from "node:crypto"; ... L13: function generatePKCE() { L14: const codeVerifier = randomBytes(32).toString("base64url"); L15: const codeChallenge = createHash("sha256").update(codeVerifier).digest("base64url"); ... L21: function openBrowser(url) { L22: const cmd = process.platform === "darwin" ? "open" : process.platform === "win32" ? "start" : "xdg-open"; L23: exec(`${cmd} ${JSON.stringify(url)}`, () => { ... L40: res.writeHead(400, { "Content-Type": "text/html" }); L41: res.end(`<html><body><h1>Authorization failed</h1><p>${errorDesc || error}</p></body></html>`);
    High
    Sandbox Evasion Gated Capability

    Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

    dist/oauth/openai-codex.jsView on unpkg · L3
    dist/tui-ink/input-box.jsView file
    matchType = previous_version_dangerous_delta matchedPackage = @bubblebrain-ai/bubble@0.0.29 matchedIdentity = npm:QGJ1YmJsZWJyYWluLWFpL2J1YmJsZQ:0.0.29 similarity = 0.983 summary = stored previous version shares package body but lacks this dangerous source file
    Critical
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version.

    dist/tui-ink/input-box.jsView on unpkg

    Findings

    1 Critical4 High3 Medium5 Low
    CriticalPrevious Version Dangerous Deltadist/tui-ink/input-box.js
    HighChild Processdist/tui-ink/image-paste.js
    HighShelldist/tui-ink/image-paste.js
    HighSame File Env Network Executiondist/tools/server-manager.js
    HighSandbox Evasion Gated Capabilitydist/oauth/openai-codex.js
    MediumNetwork
    MediumEnvironment Vars
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings
    LowNo License