registry  /  @builder.io/buildercode  /  0.13.1

@builder.io/buildercode@0.13.1

Builder.io CLI - AI-powered code generation

AI Security Review

scanned 8d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The package is a large Builder.io AI/codegen CLI with expected user-invoked filesystem, shell, credentials, and network behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs the builder CLI or explicit subcommands such as auth, launch, update, mcp, push, pull, or index-repo.
Impact
Can modify project/home Builder config files, run local tools, and contact Builder/telemetry services when invoked; no install-time or hidden exfiltration confirmed.
Mechanism
user-invoked developer CLI operations
Rationale
Static inspection shows high-risk primitives, but they are tied to a documented Builder.io developer CLI and explicit user commands, with no lifecycle hook or import-time malicious behavior. Scanner criticals appear to be caused by bundled prompts, wasm/base64, credentials/auth code, and package-aligned shell/network features rather than concrete attack behavior.
Evidence
package.jsondist/cli.mjsdist/credentials-Dud2G0b8.mjsdist/vscode-tunnel-manager-DX6YWQ9F.mjsdist/wrapper-onFoIedG.mjsdist/pac-B6nOKGmK.mjs~/.builder/config/mcp~/.builder/projects.json~/.builder/history~/.builder/recordings~/.builder/config/data.json.builder/config/data.json.config/builderio/data.json.gitignoreAGENTS.md
Network endpoints9
builder.iowww.builder.ioapi.builder.iocdn.builder.ioregistry.npmjs.org/@builder.iowww.figma.com/oauthapi2.amplitude.como117565.ingest.us.sentry.iovscode.dev/tunnel/

Decision evidence

public snapshot
AI called this Clean at 82.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/cli.mjs registers user-invoked AI/codegen, launch, push/pull, update, mcp, and auth commands with shell/file/network capabilities.
  • dist/credentials-Dud2G0b8.mjs can write credentials under ~/.builder or project .builder paths and add .gitignore entries after auth flows.
  • dist/credentials-Dud2G0b8.mjs contains agent prompts and generated AGENTS.md writing for Builder org-tree sync, but not install-time execution.
Evidence against
  • package.json has no lifecycle scripts; only bin builder -> dist/cli.mjs.
  • dist/cli.mjs only calls program.parseAsync after command registration; dangerous paths are CLI subcommands, not import/install hooks.
  • Clipboard/crypto-wallet hint is noisy: matches bundled prompt/example text such as wallet.dat and large wasm/base64, not clipboard replacement code.
  • Child_process use is package-aligned: editor launch, git, tar/powershell self-update, VS Code tunnel, ffmpeg, tsserver, and user-command execution.
  • Network hosts are Builder/Sentry/Amplitude/registry/Figma/VS Code endpoints aligned with CLI auth, telemetry, update, and Builder services.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNativeBindingsNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 7 file(s), 4.19 MB of source, external domains: api.builder.io, api.figma.com, builder.io, cdn.builder.io, dev.acme.com, fly.dev, github.com, health.builderio.dev, health.builderio.xyz, help.figma.com, mcp.asana.com, mcp.notion.com, react.dev, registry.npmjs.org, test.projects.builder.codes, vscode.dev, www.builder.io, www.figma.com
Oversized source lightweight scan
dist/credentials-Dud2G0b8.mjs5.11 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsCryptoShellHighEntropyStringsUrlStringsapi.figma.combuilder.iocdn.builder.iodev.acme.comhelp.figma.comwww.builder.iowww.figma.com

Source & flagged code

11 flagged · loading source
dist/pac-B6nOKGmK.mjsView file
15229patternName = aws_access_key severity = critical line = 15229 matchedText = var Q = ...==";
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/pac-B6nOKGmK.mjsView on unpkg · L15229
15229patternName = aws_access_key severity = critical line = 15229 matchedText = var Q = ...==";
Critical
Secret Pattern

AWS access key ID in dist/pac-B6nOKGmK.mjs

dist/pac-B6nOKGmK.mjsView on unpkg · L15229
dist/vscode-tunnel-manager-DX6YWQ9F.mjsView file
3import { EventEmitter as EventEmitter$1 } from "node:events"; L4: import { execSync } from "node:child_process"; L5:
High
Child Process

Package source references child process execution.

dist/vscode-tunnel-manager-DX6YWQ9F.mjsView on unpkg · L3
dist/cli.mjsView file
2!function(){try{var e="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof globalThis?globalThis:"undefined"!=typeof self?self:{};e.SENTRY_RELEAS... L3: import { $ as CallToolRequestSchema, $t as require_picocolors, A as updateDesignSystem, B as [redacted], Bt as pkgVersion, C as getAllDesignSystems, Ct as is... L4: import { EventEmitter as EventEmitter$1 } from "node:events"; L5: import { exec, execFile, execFileSync, execSync, spawn, spawnSync } from "node:child_process"; L6: import * as path$2 from "node:path"; ... L16: import readline from "node:readline"; L17: import * as https$1 from "node:https"; L18: import * as path$1 from "path"; ... L25: import { execFile as execFile$1, spawn as spawn$1, spawnSync as spawnSync$1 } from "child_process"; L26: import dns from "node:dns"; L27: import { promisify as promisify$1 } from "util"; ... L39: * Constructs the CommanderError class
Critical
Clipboard Crypto Hijack

Source reads and rewrites clipboard contents matching cryptocurrency wallet addresses.

dist/cli.mjsView on unpkg · L2
Trigger-reachable chain: manifest.bin -> dist/cli.mjs Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/cli.mjsView on unpkg
1616if (process$2.versions?.electron) parseOptions.from = "electron"; L1617: const execArgv = process$2.execArgv ?? []; L1618: if (execArgv.includes("-e") || execArgv.includes("--eval") || execArgv.includes("-p") || execArgv.includes("--print")) parseOptions.from = "eval";
High
Shell

Package source references shell execution.

dist/cli.mjsView on unpkg · L1616
2!function(){try{var e="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof globalThis?globalThis:"undefined"!=typeof self?self:{};e.SENTRY_RELEAS... L3: import { $ as CallToolRequestSchema, $t as require_picocolors, A as updateDesignSystem, B as [redacted], Bt as pkgVersion, C as getAllDesignSystems, Ct as is... L4: import { EventEmitter as EventEmitter$1 } from "node:events"; L5: import { exec, execFile, execFileSync, execSync, spawn, spawnSync } from "node:child_process"; L6: import * as path$2 from "node:path"; ... L16: import readline from "node:readline"; L17: import * as https$1 from "node:https"; L18: import * as path$1 from "path"; ... L25: import { execFile as execFile$1, spawn as spawn$1, spawnSync as spawnSync$1 } from "child_process"; L26: import dns from "node:dns"; L27: import { promisify as promisify$1 } from "util"; ... L39: * Constructs the CommanderError class
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/cli.mjsView on unpkg · L2
2Cross-file remote execution chain: dist/cli.mjs spawns dist/devtools-BxFQee5S.mjs; helper contains network access plus dynamic code execution. L2: !function(){try{var e="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof globalThis?globalThis:"undefined"!=typeof self?self:{};e.SENTRY_RELEAS... L3: import { $ as CallToolRequestSchema, $t as require_picocolors, A as updateDesignSystem, B as [redacted], Bt as pkgVersion, C as getAllDesignSystems, Ct as is... L4: import { EventEmitter as EventEmitter$1 } from "node:events"; L5: import { exec, execFile, execFileSync, execSync, spawn, spawnSync } from "node:child_process"; L6: import * as path$2 from "node:path"; ... L16: import readline from "node:readline"; L17: import * as https$1 from "node:https"; L18: import * as path$1 from "path"; ... L25: import { execFile as execFile$1, spawn as spawn$1, spawnSync as spawnSync$1 } from "child_process"; L26: import dns from "node:dns"; L27: import { promisify as promisify$1 } from "util"; ... L39: * Constructs the CommanderError class
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/cli.mjsView on unpkg · L2
dist/credentials-Dud2G0b8.mjsView file
context = st shebang = isZsh ? "#!/bin/zsh" : isBash ? "#!/bin/bash" : isFish ? "#!/bin/fish" : isSh ? "#!/bin/sh" : "#!/bin/bash";\n if (isFish) {\n scriptExtension = ".fish";\n scriptContent = `${shebang}\n${command}`;\n } else if (isZsh) {\n scriptExtension = ".sh";\n scriptContent = `${shebang}\nsource ~/.zshrc 2>/dev/null || true\nset -e\n${command}`;\n } else {\n scriptExtension = ".sh";\n scriptContent = `${shebang}\nset -e\n${command}`;\n }\n }\n const scriptPath = getTempScriptPath(scriptExtension);\n try {\n fs.writeFileSync(scriptPath, scriptContent, { mode: 493 });\n return scriptPath;\n } catch (error) {\n throw new Error(`Failed to create temporary script: ${error}`, { cause: error });\n }\n};\nconst getTempScriptPath = (extension) => {\n const tempDir = getTempFolder();\n const timestamp = Date.now();\n const random = Math.random().toString(36).substring(2, 8);\n return path.join(tempDir, `builder_temp_${timestamp}_${random}${extension}`);\n};\nconst getCommandWithShellArgs = (command, shell, login = true) => {\n if (isMultiLin
Critical
Encrypted Payload Temp Execution

Source decrypts an embedded payload, writes it to disk, and executes it through a child process.

dist/credentials-Dud2G0b8.mjsView on unpkg
path = dist/credentials-Dud2G0b8.mjs kind = oversized_source_file sizeBytes = 5358022 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/credentials-Dud2G0b8.mjsView on unpkg
path = dist/credentials-Dud2G0b8.mjs kind = oversized_cli_entrypoint sizeBytes = 5358022 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

dist/credentials-Dud2G0b8.mjsView on unpkg

Findings

5 Critical5 High4 Medium3 Low
CriticalCritical Secretdist/pac-B6nOKGmK.mjs
CriticalClipboard Crypto Hijackdist/cli.mjs
CriticalEncrypted Payload Temp Executiondist/credentials-Dud2G0b8.mjs
CriticalTrigger Reachable Dangerous Capabilitydist/cli.mjs
CriticalSecret Patterndist/pac-B6nOKGmK.mjs
HighChild Processdist/vscode-tunnel-manager-DX6YWQ9F.mjs
HighShelldist/cli.mjs
HighSandbox Evasion Gated Capabilitydist/cli.mjs
HighCross File Remote Execution Contextdist/cli.mjs
HighOversized Source Filedist/credentials-Dud2G0b8.mjs
MediumNetwork
MediumEnvironment Vars
MediumOversized Cli Entrypointdist/credentials-Dud2G0b8.mjs
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings