AI Security Review
scanned 11h ago · by lpm-firewall-aiThe code.in-branded CLI authenticates users against code.ae infrastructure and stores/uses those credentials under code.ae paths. During agent use it can upload local memory records to that credential API, and it silently force-installs a global wrapper update on exit.
Decision evidence
public snapshot- `dist/index.js` defaults OAuth login/exchange to `code-ae-api.onrender.com` and `app.code.ae`, not code.in.
- `codein.jsonc` identifies itself as code.ae and routes auth with `CODEAE_TOKEN`/`CODEAE_GATEWAY_URL`.
- `dist/plugin/memory.js` posts local memory records with the OAuth bearer token to the credential API base.
- `dist/index.js` schedules a detached `npm install -g codein-cli@latest --force` on exit after a cached update check.
- `dist/index.js` uses code.ae credential storage and login messaging throughout the code.in CLI.
- `package.json` has no preinstall, install, or postinstall lifecycle hook.
- OAuth exchange is reached through an explicit `login` command and uses a loopback callback with state validation.
- No obfuscated payload, eval, or foreign AI-agent configuration write was found in inspected package files.
Source & flagged code
8 flagged · loading sourcePackage source references child process execution.
dist/plugin/auth.jsView on unpkg · L4A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/plugin/auth.jsView on unpkg · L4Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
dist/plugin/auth.jsView on unpkg · L4Package source references dynamic require/import behavior.
dist/plugin/floor.jsView on unpkg · L858This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/index.jsView on unpkgSource exposes local file and command tools to a remote model endpoint.
dist/index.jsView on unpkg · L57Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
dist/plugin/memory.jsView on unpkg · L223