registry  /  @cline/core  /  0.0.64

@cline/core@0.0.64

Cline Core SDK for Node Runtime

AI Security Review

scanned 8h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package provides a host-invoked Cline agent runtime with shell/tool execution and plugin/MCP extension setup. These are powerful but no automatic install-time or import-time malicious chain was confirmed.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
A host explicitly creates/runs Cline sessions or calls plugin/MCP setup APIs.
Impact
Configured plugins, MCP servers, and agent tools can execute with the permissions granted by the host; this is an extension lifecycle risk rather than confirmed malware.
Mechanism
User- or host-invoked agent tooling, subprocess execution, and Cline extension configuration.
Rationale
The scanner conflates normal agent-runtime capabilities with exfiltration risk. Source inspection found no install-time execution, automatic credential exfiltration, stealth persistence, or foreign control-surface mutation, but the explicit extension-install and command-execution APIs warrant a non-blocking warning.
Evidence
package.jsonREADME.mddist/index.jsdist/services/plugin-install.d.tsdist/services/mcp-install.d.tsdist/extensions/plugin-sandbox-bootstrap.js
Network endpoints1
data.cline.bot

Decision evidence

public snapshot
AI called this Suspicious at 84.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `dist/index.js` exposes agent command execution and plugin sandbox loading.
  • `dist/services/plugin-install.d.ts` exposes explicit plugin installation.
  • `dist/services/mcp-install.d.ts` and MCP config APIs can set up agent integrations.
  • `dist/services/feature-flags/posthog.js` configures PostHog at `https://data.cline.bot`.
  • `dist/extensions/plugin-sandbox-bootstrap.js` loads configured plugin code in a subprocess context.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
  • `README.md` describes an explicit host-invoked agent runtime API.
  • No source-read path shows automatic credential harvesting or command-output exfiltration.
  • No import-time foreign AI-agent configuration mutation was found.
  • No concealed payload download, eval chain, or destructive action was established.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedTelemetryUrlStrings
Manifest
NoLicense
scanned 6 file(s), 2.43 MB of source, external domains: 127.0.0.1, api.ai, api.hicap.ai, data.cline.bot, github.com, inference.baseten.co, inference.poolside.ai, models.dev

Source & flagged code

8 flagged · loading source
dist/index.jsView file
1import{createRequire as SU}from"node:module";var wU=Object.defineProperty;var CU=($)=>$;function PU($,W){this[$]=CU.bind(null,W)}var U9=($,W)=>{for(var Z in W)wU($,Z,{get:W[Z],enum... L2: `,"utf8"),m_()}function HZ(){return M0().telemetryOptOut}function d_($,W={}){f1({...M0(),telemetryOptOut:$},W)}function l_(){return M0().autoUpdateEnabled}function p_($,W={}){f1({.... L3: `)}function bT($){if(!$||$.length===0)return[];let W=[];for(let Z of $){let Q=yT(Z);if(Q)W.push(Q)}return W}function yT($){let W=$.trim();if(!W)return;let Z=W.match(/^data:([^;,]+)... L4: `),J}finally{R5.delete($.lockDir),lz($)}}function q1($,W,Z={}){let Q=pz($,Z);return cV(Q,$,W)}async function E5($,W,Z={}){let Q=await rz($,Z);return cV(Q,$,W)}function iz($){let W=... L5: <html lang="en"> ... L44: </body> L45: </html>`;function jj($){let W="";for(let Z=0;Z<$.length;Z+=1)W+=String.fromCharCode($[Z]??0);return btoa(W).replace(/\+/g,"-").replace(/\//g,"_").replace(/=+$/g,"")}async function ... L46: `)}}var zZ=Sf();function qZ($,W,Z){if(typeof $==="number"&&$>0)return $;if(Z){let Q=process.env[Z];if(Q){let J=Number(Q);if(Number.isInteger(J)&&J>0)return J}}return W}async functi...
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/index.jsView on unpkg · L1
1Trigger-reachable chain: manifest.main -> dist/index.js L1: import{createRequire as SU}from"node:module";var wU=Object.defineProperty;var CU=($)=>$;function PU($,W){this[$]=CU.bind(null,W)}var U9=($,W)=>{for(var Z in W)wU($,Z,{get:W[Z],enum... L2: `,"utf8"),m_()}function HZ(){return M0().telemetryOptOut}function d_($,W={}){f1({...M0(),telemetryOptOut:$},W)}function l_(){return M0().autoUpdateEnabled}function p_($,W={}){f1({.... L3: `)}function bT($){if(!$||$.length===0)return[];let W=[];for(let Z of $){let Q=yT(Z);if(Q)W.push(Q)}return W}function yT($){let W=$.trim();if(!W)return;let Z=W.match(/^data:([^;,]+)... L4: `),J}finally{R5.delete($.lockDir),lz($)}}function q1($,W,Z={}){let Q=pz($,Z);return cV(Q,$,W)}async function E5($,W,Z={}){let Q=await rz($,Z);return cV(Q,$,W)}function iz($){let W=... L5: <html lang="en"> ... L44: </body> L45: </html>`;function jj($){let W="";for(let Z=0;Z<$.length;Z+=1)W+=String.fromCharCode($[Z]??0);return btoa(W).replace(/\+/g,"-").replace(/\//g,"_").replace(/=+$/g,"")}async function ... L46: `)}}var zZ=Sf();function qZ($,W,Z){if(typeof $==="number"&&$>0)return $;if(Z){let Q=process.env[Z];if(Q){let J=Number(Q);if(Number.isInteger(J)&&J>0)return J}}…
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.jsView on unpkg · L1
44</body> L45: </html>`;function jj($){let W="";for(let Z=0;Z<$.length;Z+=1)W+=String.fromCharCode($[Z]??0);return btoa(W).replace(/\+/g,"-").replace(/\//g,"_").replace(/=+$/g,"")}async function ... L46: `)}}var zZ=Sf();function qZ($,W,Z){if(typeof $==="number"&&$>0)return $;if(Z){let Q=process.env[Z];if(Q){let J=Number(Q);if(Number.isInteger(J)&&J>0)return J}}return W}async functi...
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L44
44</body> L45: </html>`;function jj($){let W="";for(let Z=0;Z<$.length;Z+=1)W+=String.fromCharCode($[Z]??0);return btoa(W).replace(/\+/g,"-").replace(/\//g,"_").replace(/=+$/g,"")}async function ... L46: `)}}var zZ=Sf();function qZ($,W,Z){if(typeof $==="number"&&$>0)return $;if(Z){let Q=process.env[Z];if(Q){let J=Number(Q);if(Number.isInteger(J)&&J>0)return J}}return W}async functi...
High
Shell

Package source references shell execution.

dist/index.jsView on unpkg · L44
44</body> L45: </html>`;function jj($){let W="";for(let Z=0;Z<$.length;Z+=1)W+=String.fromCharCode($[Z]??0);return btoa(W).replace(/\+/g,"-").replace(/\//g,"_").replace(/=+$/g,"")}async function ... L46: `)}}var zZ=Sf();function qZ($,W,Z){if(typeof $==="number"&&$>0)return $;if(Z){let Q=process.env[Z];if(Q){let J=Number(Q);if(Number.isInteger(J)&&J>0)return J}}return W}async functi...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.jsView on unpkg · L44
44</body> L45: </html>`;function jj($){let W="";for(let Z=0;Z<$.length;Z+=1)W+=String.fromCharCode($[Z]??0);return btoa(W).replace(/\+/g,"-").replace(/\//g,"_").replace(/=+$/g,"")}async function ... L46: `)}}var zZ=Sf();function qZ($,W,Z){if(typeof $==="number"&&$>0)return $;if(Z){let Q=process.env[Z];if(Q){let J=Number(Q);if(Number.isInteger(J)&&J>0)return J}}return W}async functi...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.jsView on unpkg · L44
3`)}function bT($){if(!$||$.length===0)return[];let W=[];for(let Z of $){let Q=yT(Z);if(Q)W.push(Q)}return W}function yT($){let W=$.trim();if(!W)return;let Z=W.match(/^data:([^;,]+)... L4: `),J}finally{R5.delete($.lockDir),lz($)}}function q1($,W,Z={}){let Q=pz($,Z);return cV(Q,$,W)}async function E5($,W,Z={}){let Q=await rz($,Z);return cV(Q,$,W)}function iz($){let W=... L5: <html lang="en">
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.jsView on unpkg · L3
1import{createRequire as SU}from"node:module";var wU=Object.defineProperty;var CU=($)=>$;function PU($,W){this[$]=CU.bind(null,W)}var U9=($,W)=>{for(var Z in W)wU($,Z,{get:W[Z],enum... L2: `,"utf8"),m_()}function HZ(){return M0().telemetryOptOut}function d_($,W={}){f1({...M0(),telemetryOptOut:$},W)}function l_(){return M0().autoUpdateEnabled}function p_($,W={}){f1({.... L3: `)}function bT($){if(!$||$.length===0)return[];let W=[];for(let Z of $){let Q=yT(Z);if(Q)W.push(Q)}return W}function yT($){let W=$.trim();if(!W)return;let Z=W.match(/^data:([^;,]+)... L4: `),J}finally{R5.delete($.lockDir),lz($)}}function q1($,W,Z={}){let Q=pz($,Z);return cV(Q,$,W)}async function E5($,W,Z={}){let Q=await rz($,Z);return cV(Q,$,W)}function iz($){let W=... L5: <html lang="en"> ... L44: </body> L45: </html>`;function jj($){let W="";for(let Z=0;Z<$.length;Z+=1)W+=String.fromCharCode($[Z]??0);return btoa(W).replace(/\+/g,"-").replace(/\//g,"_").replace(/=+$/g,"")}async function ... L46: `)}}var zZ=Sf();function qZ($,W,Z){if(typeof $==="number"&&$>0)return $;if(Z){let Q=process.env[Z];if(Q){let J=Number(Q);if(Number.isInteger(J)&&J>0)return J}}return W}async functi...
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/index.jsView on unpkg · L1

Findings

2 Critical4 High4 Medium7 Low
CriticalCredential Exfiltrationdist/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
HighChild Processdist/index.js
HighShelldist/index.js
HighSame File Env Network Executiondist/index.js
HighCommand Output Exfiltrationdist/index.js
MediumDynamic Requiredist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/index.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowNo License