registry  /  @deepalign/geo-companion  /  0.2.3

@deepalign/geo-companion@0.2.3

GEO 报告本地伴随程序:检测本地 AI CLI、按品牌注入 MCP 配置与分析人设,在网页内嵌终端里拉起本地 codex / claude / cursor(用用户自己的订阅)。

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs geo-companion start, then an allowed report origin calls /deep-dive and connects /terminal.
Impact
Allowed report sites can start scoped local AI CLI sessions using a short-lived geo-data MCP key; no install-time hijack or exfiltration chain was found.
Mechanism
localhost daemon creates temporary AI CLI workspaces and bridges a browser WebSocket to node-pty
Rationale
Source inspection shows guarded, user-invoked AI-agent integration with temporary config mutation, process spawning, and token validation to package-aligned allowlisted endpoints. Because this is a meaningful agent-control surface but not an unconsented install-time hijack or exfiltration path, warn rather than block.
Evidence
package.jsonscripts/fix-pty-helper.jssrc/config.jssrc/server.jssrc/backend.jssrc/terminal.jssrc/detect.jsbin/geo-companion.jsnode-pty/prebuilds/*/spawn-helper$WORKSPACE_ROOT/s-*/.mcp.json$WORKSPACE_ROOT/s-*/CLAUDE.md$WORKSPACE_ROOT/s-*/AGENTS.md$WORKSPACE_ROOT/s-*/.cursor/mcp.json$WORKSPACE_ROOT/s-*/.codex-home/config.toml$WORKSPACE_ROOT/s-*/.codex-home/auth.json
Network endpoints10
127.0.0.1:8765localhost:5173127.0.0.1:5173localhost:5175127.0.0.1:5175pages.trydeepalign.comdashboard.noiseoff.cnlocalhost:3001127.0.0.1:3001tcninreey9r1.feishu.cn/wiki/VJw5wt4JEidRn0kced7c8n9Fn5c?table=tblVibApxcxwKCXe&view=vewqnwl48V

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json defines postinstall script scripts/fix-pty-helper.js
  • src/server.js starts localhost HTTP/WS daemon and accepts /deep-dive then /terminal sessions from whitelisted origins
  • src/terminal.js writes temporary .mcp.json, AGENTS.md/CLAUDE.md, .cursor/mcp.json, and CODEX_HOME config for AI CLIs
  • src/terminal.js spawns local claude/codex/cursor via node-pty after session creation
  • src/backend.js forwards user token to whitelisted backend /api/noiseoff-radar/companion/validate
Evidence against
  • postinstall only chmods node-pty prebuild spawn-helper and does not alter agent config
  • server binds 127.0.0.1 and enforces Origin whitelist for non-health endpoints
  • apiBase is checked against ALLOWED_API_BASES before token forwarding
  • AI-agent config files are created in per-session temp workspaces and removed on dispose
  • no evidence of credential harvesting beyond intended backend token validation or arbitrary remote payload loading
  • codex runs with read-only sandbox and ask-for-approval never; Claude/Cursor launchers are scoped to geo-data MCP
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 7 file(s), 36.9 KB of source, external domains: 127.0.0.1, dashboard.noiseoff.cn, pages.trydeepalign.com, tcninreey9r1.feishu.cn

Source & flagged code

1 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/fix-pty-helper.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg

Findings

1 High3 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License