registry  /  @builder.io/buildercode  /  0.14.1

@builder.io/buildercode@0.14.1

Builder.io CLI - AI-powered code generation

AI Security Review

scanned 8d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found by source inspection. Risky primitives are part of an interactive Builder.io AI/codegen CLI and are gated by commands or user actions, not lifecycle execution.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs the builder CLI and invokes auth/code/launch/update/mcp/paste workflows.
Impact
No confirmed unauthorized exfiltration, persistence, destructive action, or clipboard hijack.
Mechanism
Product-aligned CLI network, credential storage, clipboard, and child-process helpers
Rationale
Static inspection shows a bundled interactive Builder.io CLI with expected auth, telemetry, update, clipboard, git, MCP, and codegen capabilities, but no lifecycle hook or hidden import-time malware path. Scanner claims about crypto clipboard hijacking and encrypted payload execution were not supported by the inspected source.
Evidence
package.jsondist/cli.mjsdist/credentials-CPQWfcto.mjsdist/vscode-tunnel-manager-Tl3LC5FY.mjs~/.builder/config/data.json.builder/config/data.json.config/builderio/data.json.gitignorenode_modules/.builder/data.jsontemporary builder-prototype-* git bundle directoriestemporary buildercode-* editor prompt files
Network endpoints9
builder.ioapi.builder.iocdn.builder.ioregistry.npmjs.org/@builder.ioapi.figma.com/v1/oauth/tokenwww.figma.com/oauthvscode.dev/tunnel/github.como117565.ingest.us.sentry.io

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
    Evidence against
    • package.json has no lifecycle scripts; only bin builder -> dist/cli.mjs.
    • dist/cli.mjs clipboard code only handles paste/copy UI actions; no crypto address matching or replacement found.
    • dist/credentials-CPQWfcto.mjs writes Builder/Figma credentials only after auth flows or explicit credential handling.
    • Child processes are user-invoked/product-aligned: git bundle extraction, editor launch, IDE extension install, updater, MCP/server commands.
    • Network endpoints are Builder.io/Figma/Sentry/npm/GitHub health or product API/auth/update paths.
    • No install-time/import-time payload decryption and execution confirmed in inspected source.
    Behavioral surface
    Source
    ChildProcessCryptoEnvironmentVarsFilesystemNativeBindingsNetworkShellWebSocket
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 7 file(s), 4.19 MB of source, external domains: api.builder.io, api.figma.com, builder.io, cdn.builder.io, dev.acme.com, fly.dev, github.com, health.builderio.dev, health.builderio.xyz, help.figma.com, mcp.asana.com, mcp.notion.com, react.dev, registry.npmjs.org, test.projects.builder.codes, vscode.dev, www.builder.io, www.figma.com
    Oversized source lightweight scan
    dist/credentials-CPQWfcto.mjs5.11 MB file, sampled 256 KB
    FilesystemNetworkChildProcessEnvironmentVarsCryptoShellHighEntropyStringsUrlStringsapi.figma.combuilder.iocdn.builder.iodev.acme.comhelp.figma.comwww.builder.iowww.figma.com

    Source & flagged code

    11 flagged · loading source
    dist/pac-C-f8GYEm.mjsView file
    15229patternName = aws_access_key severity = critical line = 15229 matchedText = var Q = ...==";
    Critical
    Critical Secret

    Package contains a critical-looking secret pattern.

    dist/pac-C-f8GYEm.mjsView on unpkg · L15229
    15229patternName = aws_access_key severity = critical line = 15229 matchedText = var Q = ...==";
    Critical
    Secret Pattern

    AWS access key ID in dist/pac-C-f8GYEm.mjs

    dist/pac-C-f8GYEm.mjsView on unpkg · L15229
    dist/vscode-tunnel-manager-Tl3LC5FY.mjsView file
    3import { EventEmitter as EventEmitter$1 } from "node:events"; L4: import { execSync } from "node:child_process"; L5:
    High
    Child Process

    Package source references child process execution.

    dist/vscode-tunnel-manager-Tl3LC5FY.mjsView on unpkg · L3
    dist/cli.mjsView file
    2!function(){try{var e="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof globalThis?globalThis:"undefined"!=typeof self?self:{};e.SENTRY_RELEAS... L3: import { $ as CallToolRequestSchema, $t as require_picocolors, A as updateDesignSystem, B as [redacted], Bt as pkgVersion, C as getAllDesignSystems, Ct as is... L4: import { EventEmitter as EventEmitter$1 } from "node:events"; L5: import { exec, execFile, execFileSync, execSync, spawn, spawnSync } from "node:child_process"; L6: import * as path$2 from "node:path"; ... L16: import readline from "node:readline"; L17: import * as https$1 from "node:https"; L18: import * as path$1 from "path"; ... L25: import { execFile as execFile$1, spawn as spawn$1, spawnSync as spawnSync$1 } from "child_process"; L26: import dns from "node:dns"; L27: import { promisify as promisify$1 } from "util"; ... L39: * Constructs the CommanderError class
    Critical
    Clipboard Crypto Hijack

    Source reads and rewrites clipboard contents matching cryptocurrency wallet addresses.

    dist/cli.mjsView on unpkg · L2
    Trigger-reachable chain: manifest.bin -> dist/cli.mjs Reachable file contains a blocking source-risk pattern.
    Critical
    Trigger Reachable Dangerous Capability

    A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

    dist/cli.mjsView on unpkg
    1616if (process$2.versions?.electron) parseOptions.from = "electron"; L1617: const execArgv = process$2.execArgv ?? []; L1618: if (execArgv.includes("-e") || execArgv.includes("--eval") || execArgv.includes("-p") || execArgv.includes("--print")) parseOptions.from = "eval";
    High
    Shell

    Package source references shell execution.

    dist/cli.mjsView on unpkg · L1616
    2!function(){try{var e="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof globalThis?globalThis:"undefined"!=typeof self?self:{};e.SENTRY_RELEAS... L3: import { $ as CallToolRequestSchema, $t as require_picocolors, A as updateDesignSystem, B as [redacted], Bt as pkgVersion, C as getAllDesignSystems, Ct as is... L4: import { EventEmitter as EventEmitter$1 } from "node:events"; L5: import { exec, execFile, execFileSync, execSync, spawn, spawnSync } from "node:child_process"; L6: import * as path$2 from "node:path"; ... L16: import readline from "node:readline"; L17: import * as https$1 from "node:https"; L18: import * as path$1 from "path"; ... L25: import { execFile as execFile$1, spawn as spawn$1, spawnSync as spawnSync$1 } from "child_process"; L26: import dns from "node:dns"; L27: import { promisify as promisify$1 } from "util"; ... L39: * Constructs the CommanderError class
    High
    Sandbox Evasion Gated Capability

    Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

    dist/cli.mjsView on unpkg · L2
    2Cross-file remote execution chain: dist/cli.mjs spawns dist/devtools-s7CALUyN.mjs; helper contains network access plus dynamic code execution. L2: !function(){try{var e="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof globalThis?globalThis:"undefined"!=typeof self?self:{};e.SENTRY_RELEAS... L3: import { $ as CallToolRequestSchema, $t as require_picocolors, A as updateDesignSystem, B as [redacted], Bt as pkgVersion, C as getAllDesignSystems, Ct as is... L4: import { EventEmitter as EventEmitter$1 } from "node:events"; L5: import { exec, execFile, execFileSync, execSync, spawn, spawnSync } from "node:child_process"; L6: import * as path$2 from "node:path"; ... L16: import readline from "node:readline"; L17: import * as https$1 from "node:https"; L18: import * as path$1 from "path"; ... L25: import { execFile as execFile$1, spawn as spawn$1, spawnSync as spawnSync$1 } from "child_process"; L26: import dns from "node:dns"; L27: import { promisify as promisify$1 } from "util"; ... L39: * Constructs the CommanderError class
    High
    Cross File Remote Execution Context

    Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

    dist/cli.mjsView on unpkg · L2
    dist/credentials-CPQWfcto.mjsView file
    context = st shebang = isZsh ? "#!/bin/zsh" : isBash ? "#!/bin/bash" : isFish ? "#!/bin/fish" : isSh ? "#!/bin/sh" : "#!/bin/bash";\n if (isFish) {\n scriptExtension = ".fish";\n scriptContent = `${shebang}\n${command}`;\n } else if (isZsh) {\n scriptExtension = ".sh";\n scriptContent = `${shebang}\nsource ~/.zshrc 2>/dev/null || true\nset -e\n${command}`;\n } else {\n scriptExtension = ".sh";\n scriptContent = `${shebang}\nset -e\n${command}`;\n }\n }\n const scriptPath = getTempScriptPath(scriptExtension);\n try {\n fs.writeFileSync(scriptPath, scriptContent, { mode: 493 });\n return scriptPath;\n } catch (error) {\n throw new Error(`Failed to create temporary script: ${error}`, { cause: error });\n }\n};\nconst getTempScriptPath = (extension) => {\n const tempDir = getTempFolder();\n const timestamp = Date.now();\n const random = Math.random().toString(36).substring(2, 8);\n return path.join(tempDir, `builder_temp_${timestamp}_${random}${extension}`);\n};\nconst getCommandWithShellArgs = (command, shell, login = true) => {\n if (isMultiLin
    Critical
    Encrypted Payload Temp Execution

    Source decrypts an embedded payload, writes it to disk, and executes it through a child process.

    dist/credentials-CPQWfcto.mjsView on unpkg
    path = dist/credentials-CPQWfcto.mjs kind = oversized_source_file sizeBytes = 5362512 magicHex = [redacted]
    High
    Oversized Source File

    Package contains source files above the static scanner size ceiling.

    dist/credentials-CPQWfcto.mjsView on unpkg
    path = dist/credentials-CPQWfcto.mjs kind = oversized_cli_entrypoint sizeBytes = 5362512 magicHex = [redacted]
    Medium
    Oversized Cli Entrypoint

    Package contains an oversized executable-looking CLI entrypoint.

    dist/credentials-CPQWfcto.mjsView on unpkg

    Findings

    5 Critical5 High4 Medium3 Low
    CriticalCritical Secretdist/pac-C-f8GYEm.mjs
    CriticalClipboard Crypto Hijackdist/cli.mjs
    CriticalEncrypted Payload Temp Executiondist/credentials-CPQWfcto.mjs
    CriticalTrigger Reachable Dangerous Capabilitydist/cli.mjs
    CriticalSecret Patterndist/pac-C-f8GYEm.mjs
    HighChild Processdist/vscode-tunnel-manager-Tl3LC5FY.mjs
    HighShelldist/cli.mjs
    HighSandbox Evasion Gated Capabilitydist/cli.mjs
    HighCross File Remote Execution Contextdist/cli.mjs
    HighOversized Source Filedist/credentials-CPQWfcto.mjs
    MediumNetwork
    MediumEnvironment Vars
    MediumOversized Cli Entrypointdist/credentials-CPQWfcto.mjs
    MediumStructural Risk Force Deep Review
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings