registry  /  @hermes-kaesra/kaesracode  /  1.0.0

@hermes-kaesra/kaesracode@1.0.0

⚡ The AI coding agent, customized for everyone. Fork of OpenCode with /goal, /team, prompt enhancer, and more.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

The package is a thin launcher that downloads and executes a GitHub-hosted install script on first CLI run, then launches the installed app with Bun. This is dangerous remote code execution behavior but is user-invoked and package-aligned, with no concrete malicious payload in the tarball.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `kaesracode` or `npx @hermes-kaesra/kaesracode`.
Impact
Remote installer can execute arbitrary commands with the user's environment and write to the configured install directory.
Mechanism
curl-to-bash remote installer followed by Bun launch
Rationale
Source inspection confirms a user-invoked remote installer/launcher with inherited environment, which warrants a warning for dangerous remote execution. There is no npm lifecycle hook, stealth persistence, exfiltration, destructive behavior, or unconsented broad AI-agent control-surface mutation in the package source, so a publish block is not justified from this tarball alone.
Evidence
package.jsoncli.jsREADME.md$HOME/.kaesracode$HOME/.kaesracode/packages/opencode
Network endpoints2
raw.githubusercontent.com/hermes-kaesra/KaesraCode/hermes-features/install.shgithub.com/hermes-kaesra/KaesraCode

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • cli.js bin entrypoint uses execSync to run curl piped to bash from raw.githubusercontent.com
  • cli.js executes `bun run dev` in KAESRACODE_INSTALL_DIR after install check
  • cli.js passes full process.env to the remote install command
  • Remote installer is fetched at runtime, so npm tarball does not contain the code being executed
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle scripts
  • Execution is via explicit `kaesracode` bin/npx invocation, not import-time or install-time
  • README.md discloses first run installs automatically
  • Endpoint and repository align with package name/author
  • No local source shows credential harvesting, exfiltration, destructive commands, or agent config hijack
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystem
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 711 B of source, external domains: raw.githubusercontent.com

Source & flagged code

3 flagged · loading source
cli.jsView file
1#!/usr/bin/env node L2: const { execSync } = require("child_process") L3: const { existsSync } = require("fs") ... L6: L7: const INSTALL_DIR = process.env.KAESRACODE_INSTALL_DIR || join(os.homedir(), ".kaesracode") L8: ... L10: console.log("⚡ Installing KaesraCode...") L11: execSync(`curl -fsSL https://raw.githubusercontent.com/hermes-kaesra/KaesraCode/hermes-features/install.sh | bash`, { L12: stdio: "inherit",
Critical
Download Execute

Source downloads or fetches remote code and executes it.

cli.jsView on unpkg · L1
1Trigger-reachable chain: manifest.bin -> cli.js L1: #!/usr/bin/env node L2: const { execSync } = require("child_process") L3: const { existsSync } = require("fs") ... L6: L7: const INSTALL_DIR = process.env.KAESRACODE_INSTALL_DIR || join(os.homedir(), ".kaesracode") L8: ... L10: console.log("⚡ Installing KaesraCode...") L11: execSync(`curl -fsSL https://raw.githubusercontent.com/hermes-kaesra/KaesraCode/hermes-features/install.sh | bash`, { L12: stdio: "inherit",
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

cli.jsView on unpkg · L1
1#!/usr/bin/env node L2: const { execSync } = require("child_process") L3: const { existsSync } = require("fs")
High
Child Process

Package source references child process execution.

cli.jsView on unpkg · L1

Findings

2 Critical1 High1 Medium2 Low
CriticalDownload Executecli.js
CriticalTrigger Reachable Dangerous Capabilitycli.js
HighChild Processcli.js
MediumEnvironment Vars
LowFilesystem
LowUrl Strings