AI Security Review
scanned 4h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The riskiest behavior is package-aligned local Trae database decryption/key extraction for usage reporting, with no network exfiltration or install-time execution.
Static reason
No blocking static signals were detected.
Trigger
User runs ocusage for Trae or all-client usage reporting
Impact
Local reporting of token usage; may store Trae DB key in ocusage config for reuse
Mechanism
local AI client usage parsing and optional SQLCipher key extraction
Rationale
The package implements a declared CLI that reads local AI client usage stores and formats reports; sensitive primitives are scoped to local Trae database decryption and are not tied to install hooks, persistence, control-surface mutation, or exfiltration. The shipped PowerShell/process-memory helper is high-sensitivity but package-aligned and user-invoked at runtime, so it does not establish malicious behavior by itself.
Evidence
package.jsoncli.mjsconfig.mjsproviders/trae.mjsproviders/helpers/trae-key-extract.mjsproviders/helpers/trae-crypto.mjsscripts/extract-trae-key.ps1ocusage config.jsontemporary ocusage-trae-*/decrypted.db
Decision evidence
public snapshotAI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
- providers/helpers/trae-key-extract.mjs invokes powershell.exe to scan Trae process memory for SQLCipher key candidates on Windows
- config.mjs can persist extracted encryptionKeys in ocusage config
- providers/helpers/trae-crypto.mjs writes decrypted Trae DB to a temp file and removes it later
Evidence against
- package.json has only prepare husky script, no install/postinstall hook
- cli.mjs execution is user-invoked CLI; no import-time payload beyond command registration
- rg found no fetch/http client or network exfiltration code
- providers read local SQLite/JSONL usage data for declared AI clients
- PowerShell helper returns candidate keys as local JSON and is called only by Trae provider path
- No AI-agent config/control-surface mutation found
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemShell
HighEntropyStrings
Source & flagged code
1 flagged · loading sourcescripts/extract-trae-key.ps1View file
•path = scripts/extract-trae-key.ps1
kind = build_helper
sizeBytes = 7116
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
scripts/extract-trae-key.ps1View on unpkgFindings
3 Medium4 Low
MediumEnvironment Vars
MediumShips Build Helperscripts/extract-trae-key.ps1
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings