AI Security Review
scanned 3h ago · by lpm-firewall-aiThe package is a thin launcher that downloads and executes a GitHub-hosted install script on first CLI run, then launches the installed app with Bun. This is dangerous remote code execution behavior but is user-invoked and package-aligned, with no concrete malicious payload in the tarball.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `kaesracode` or `npx @hermes-kaesra/kaesracode`.
Impact
Remote installer can execute arbitrary commands with the user's environment and write to the configured install directory.
Mechanism
curl-to-bash remote installer followed by Bun launch
Rationale
Source inspection confirms a user-invoked remote installer/launcher with inherited environment, which warrants a warning for dangerous remote execution. There is no npm lifecycle hook, stealth persistence, exfiltration, destructive behavior, or unconsented broad AI-agent control-surface mutation in the package source, so a publish block is not justified from this tarball alone.
Evidence
package.jsoncli.jsREADME.md$HOME/.kaesracode$HOME/.kaesracode/packages/opencode
Network endpoints2
raw.githubusercontent.com/hermes-kaesra/KaesraCode/hermes-features/install.shgithub.com/hermes-kaesra/KaesraCode
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- cli.js bin entrypoint uses execSync to run curl piped to bash from raw.githubusercontent.com
- cli.js executes `bun run dev` in KAESRACODE_INSTALL_DIR after install check
- cli.js passes full process.env to the remote install command
- Remote installer is fetched at runtime, so npm tarball does not contain the code being executed
Evidence against
- package.json has no preinstall/install/postinstall lifecycle scripts
- Execution is via explicit `kaesracode` bin/npx invocation, not import-time or install-time
- README.md discloses first run installs automatically
- Endpoint and repository align with package name/author
- No local source shows credential harvesting, exfiltration, destructive commands, or agent config hijack
Behavioral surface
ChildProcessEnvironmentVarsFilesystem
UrlStrings
Source & flagged code
3 flagged · loading sourcecli.jsView file
1#!/usr/bin/env node
L2: const { execSync } = require("child_process")
L3: const { existsSync } = require("fs")
...
L6:
L7: const INSTALL_DIR = process.env.KAESRACODE_INSTALL_DIR || join(os.homedir(), ".kaesracode")
L8:
...
L10: console.log("⚡ Installing KaesraCode...")
L11: execSync(`curl -fsSL https://raw.githubusercontent.com/hermes-kaesra/KaesraCode/hermes-features/install.sh | bash`, {
L12: stdio: "inherit",
Critical
1Trigger-reachable chain: manifest.bin -> cli.js
L1: #!/usr/bin/env node
L2: const { execSync } = require("child_process")
L3: const { existsSync } = require("fs")
...
L6:
L7: const INSTALL_DIR = process.env.KAESRACODE_INSTALL_DIR || join(os.homedir(), ".kaesracode")
L8:
...
L10: console.log("⚡ Installing KaesraCode...")
L11: execSync(`curl -fsSL https://raw.githubusercontent.com/hermes-kaesra/KaesraCode/hermes-features/install.sh | bash`, {
L12: stdio: "inherit",
Critical
Trigger Reachable Dangerous Capability
A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
cli.jsView on unpkg · L11#!/usr/bin/env node
L2: const { execSync } = require("child_process")
L3: const { existsSync } = require("fs")
High
Findings
2 Critical1 High1 Medium2 Low
CriticalDownload Executecli.js
CriticalTrigger Reachable Dangerous Capabilitycli.js
HighChild Processcli.js
MediumEnvironment Vars
LowFilesystem
LowUrl Strings