registry  /  @builder.io/buildercode  /  0.14.2

@builder.io/buildercode@0.14.2

Builder.io CLI - AI-powered code generation

AI Security Review

scanned 8d ago · by lpm-firewall-ai

No confirmed malicious attack surface by static source inspection. Risky primitives are aligned with an AI code-generation CLI and require explicit user CLI actions, with no install-time execution.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs builder CLI commands such as code, launch, update, auth, mcp, or index-repo.
Impact
Expected CLI behavior: authenticate to Builder.io/Figma, index/generate code, launch dev proxy, manage MCP servers, or self-update standalone binary.
Mechanism
User-invoked Builder.io CLI networking, clipboard, subprocess, update, and agent orchestration features.
Rationale
Static inspection found no lifecycle execution, hidden payload execution, crypto clipboard hijack, or credential exfiltration; scanner hits map to bundled CLI features and third-party libraries. The embedded agent prompts and subprocess/network capabilities are explicit Builder.io product behavior rather than unconsented control-surface mutation.
Evidence
package.jsondist/cli.mjsdist/credentials-KJmJXz9z.mjsdist/pac-BbqDux7q.mjsdist/vscode-tunnel-manager-cPmYqjf1.mjs
Network endpoints9
registry.npmjs.org/@builder.ioapi.builder.io/codegen/healthcdn.builder.io/api/v1/image/assets/TEMP/75a212ab82b6175c9862b125e0e23db8d369a58a?width=100www.builder.iotest.projects.builder.codes/proxy-healthhealth.builderio.xyz/healthhealth.builderio.dev/healthfly.dev1c5033d697e0271ebe53773bff826de0@o117565.ingest.us.sentry.io/4511107776905216

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/cli.mjs imports child_process and has user-invoked update/launch/agent commands.
  • dist/credentials-KJmJXz9z.mjs contains embedded agent setup prompts and may spawn Builder-managed agents from CLI flows.
  • dist/cli.mjs clipboard helpers read/write clipboard only for paste/copy UI paths, not wallet-address replacement.
Evidence against
  • package.json has no lifecycle scripts; only bin builder -> dist/cli.mjs.
  • dist/credentials-KJmJXz9z.mjs readCredentials uses CLI args/env/stored Builder credentials for Builder.io authentication, not broad secret harvesting.
  • dist/cli.mjs selfUpdate fetches @builder.io binary tarballs from registry.npmjs.org only when user runs update/standalone checks.
  • dist/cli.mjs createFusionExampleProject posts to Builder API using Builder credentials for documented project/agent creation.
  • dist/cli.mjs command table shows dangerous primitives are tied to explicit CLI features: code, launch, mcp, auth, update, push/pull.
  • dist/pac-BbqDux7q.mjs is a PAC resolver bundle dynamically imported for proxy config, not an encrypted dropped executable.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNativeBindingsNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 7 file(s), 4.19 MB of source, external domains: api.builder.io, api.figma.com, builder.io, cdn.builder.io, dev.acme.com, fly.dev, github.com, health.builderio.dev, health.builderio.xyz, help.figma.com, mcp.asana.com, mcp.notion.com, react.dev, registry.npmjs.org, test.projects.builder.codes, vscode.dev, www.builder.io, www.figma.com
Oversized source lightweight scan
dist/credentials-KJmJXz9z.mjs5.12 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsCryptoShellHighEntropyStringsUrlStringsapi.figma.combuilder.iocdn.builder.iodev.acme.comhelp.figma.comwww.builder.iowww.figma.com

Source & flagged code

11 flagged · loading source
dist/pac-BbqDux7q.mjsView file
15229patternName = aws_access_key severity = critical line = 15229 matchedText = var Q = ...==";
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/pac-BbqDux7q.mjsView on unpkg · L15229
15229patternName = aws_access_key severity = critical line = 15229 matchedText = var Q = ...==";
Critical
Secret Pattern

AWS access key ID in dist/pac-BbqDux7q.mjs

dist/pac-BbqDux7q.mjsView on unpkg · L15229
dist/cli.mjsView file
2!function(){try{var e="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof globalThis?globalThis:"undefined"!=typeof self?self:{};e.SENTRY_RELEAS... L3: import { $ as CallToolRequestSchema, $t as require_picocolors, A as updateDesignSystem, B as [redacted], Bt as pkgVersion, C as getAllDesignSystems, Ct as is... L4: import { EventEmitter as EventEmitter$1 } from "node:events"; L5: import { exec, execFile, execFileSync, execSync, spawn, spawnSync } from "node:child_process"; L6: import * as path$2 from "node:path"; ... L16: import readline from "node:readline"; L17: import * as https$1 from "node:https"; L18: import * as path$1 from "path"; ... L25: import { execFile as execFile$1, spawn as spawn$1, spawnSync as spawnSync$1 } from "child_process"; L26: import dns from "node:dns"; L27: import { promisify as promisify$1 } from "util"; ... L39: * Constructs the CommanderError class
Critical
Clipboard Crypto Hijack

Source reads and rewrites clipboard contents matching cryptocurrency wallet addresses.

dist/cli.mjsView on unpkg · L2
Trigger-reachable chain: manifest.bin -> dist/cli.mjs Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/cli.mjsView on unpkg
4import { EventEmitter as EventEmitter$1 } from "node:events"; L5: import { exec, execFile, execFileSync, execSync, spawn, spawnSync } from "node:child_process"; L6: import * as path$2 from "node:path";
High
Child Process

Package source references child process execution.

dist/cli.mjsView on unpkg · L4
1616if (process$2.versions?.electron) parseOptions.from = "electron"; L1617: const execArgv = process$2.execArgv ?? []; L1618: if (execArgv.includes("-e") || execArgv.includes("--eval") || execArgv.includes("-p") || execArgv.includes("--print")) parseOptions.from = "eval";
High
Shell

Package source references shell execution.

dist/cli.mjsView on unpkg · L1616
2!function(){try{var e="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof globalThis?globalThis:"undefined"!=typeof self?self:{};e.SENTRY_RELEAS... L3: import { $ as CallToolRequestSchema, $t as require_picocolors, A as updateDesignSystem, B as [redacted], Bt as pkgVersion, C as getAllDesignSystems, Ct as is... L4: import { EventEmitter as EventEmitter$1 } from "node:events"; L5: import { exec, execFile, execFileSync, execSync, spawn, spawnSync } from "node:child_process"; L6: import * as path$2 from "node:path"; ... L16: import readline from "node:readline"; L17: import * as https$1 from "node:https"; L18: import * as path$1 from "path"; ... L25: import { execFile as execFile$1, spawn as spawn$1, spawnSync as spawnSync$1 } from "child_process"; L26: import dns from "node:dns"; L27: import { promisify as promisify$1 } from "util"; ... L39: * Constructs the CommanderError class
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/cli.mjsView on unpkg · L2
2Cross-file remote execution chain: dist/cli.mjs spawns dist/devtools-D_Wm5iKv.mjs; helper contains network access plus dynamic code execution. L2: !function(){try{var e="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof globalThis?globalThis:"undefined"!=typeof self?self:{};e.SENTRY_RELEAS... L3: import { $ as CallToolRequestSchema, $t as require_picocolors, A as updateDesignSystem, B as [redacted], Bt as pkgVersion, C as getAllDesignSystems, Ct as is... L4: import { EventEmitter as EventEmitter$1 } from "node:events"; L5: import { exec, execFile, execFileSync, execSync, spawn, spawnSync } from "node:child_process"; L6: import * as path$2 from "node:path"; ... L16: import readline from "node:readline"; L17: import * as https$1 from "node:https"; L18: import * as path$1 from "path"; ... L25: import { execFile as execFile$1, spawn as spawn$1, spawnSync as spawnSync$1 } from "child_process"; L26: import dns from "node:dns"; L27: import { promisify as promisify$1 } from "util"; ... L39: * Constructs the CommanderError class
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/cli.mjsView on unpkg · L2
dist/credentials-KJmJXz9z.mjsView file
context = st shebang = isZsh ? "#!/bin/zsh" : isBash ? "#!/bin/bash" : isFish ? "#!/bin/fish" : isSh ? "#!/bin/sh" : "#!/bin/bash";\n if (isFish) {\n scriptExtension = ".fish";\n scriptContent = `${shebang}\n${command}`;\n } else if (isZsh) {\n scriptExtension = ".sh";\n scriptContent = `${shebang}\nsource ~/.zshrc 2>/dev/null || true\nset -e\n${command}`;\n } else {\n scriptExtension = ".sh";\n scriptContent = `${shebang}\nset -e\n${command}`;\n }\n }\n const scriptPath = getTempScriptPath(scriptExtension);\n try {\n fs.writeFileSync(scriptPath, scriptContent, { mode: 493 });\n return scriptPath;\n } catch (error) {\n throw new Error(`Failed to create temporary script: ${error}`, { cause: error });\n }\n};\nconst getTempScriptPath = (extension) => {\n const tempDir = getTempFolder();\n const timestamp = Date.now();\n const random = Math.random().toString(36).substring(2, 8);\n return path.join(tempDir, `builder_temp_${timestamp}_${random}${extension}`);\n};\nconst getCommandWithShellArgs = (command, shell, login = true) => {\n if (isMultiLin
Critical
Encrypted Payload Temp Execution

Source decrypts an embedded payload, writes it to disk, and executes it through a child process.

dist/credentials-KJmJXz9z.mjsView on unpkg
path = dist/credentials-KJmJXz9z.mjs kind = oversized_source_file sizeBytes = 5363581 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/credentials-KJmJXz9z.mjsView on unpkg
path = dist/credentials-KJmJXz9z.mjs kind = oversized_cli_entrypoint sizeBytes = 5363581 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

dist/credentials-KJmJXz9z.mjsView on unpkg

Findings

5 Critical5 High4 Medium3 Low
CriticalCritical Secretdist/pac-BbqDux7q.mjs
CriticalClipboard Crypto Hijackdist/cli.mjs
CriticalEncrypted Payload Temp Executiondist/credentials-KJmJXz9z.mjs
CriticalTrigger Reachable Dangerous Capabilitydist/cli.mjs
CriticalSecret Patterndist/pac-BbqDux7q.mjs
HighChild Processdist/cli.mjs
HighShelldist/cli.mjs
HighSandbox Evasion Gated Capabilitydist/cli.mjs
HighCross File Remote Execution Contextdist/cli.mjs
HighOversized Source Filedist/credentials-KJmJXz9z.mjs
MediumNetwork
MediumEnvironment Vars
MediumOversized Cli Entrypointdist/credentials-KJmJXz9z.mjs
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings