registry  /  @jmylchreest/aide-plugin  /  0.1.5

@jmylchreest/aide-plugin@0.1.5

aide plugin for OpenCode and Codex CLI — multi-agent orchestration, memory, skills, and persistence

AI Security Review

scanned 1h ago · by lpm-firewall-ai

The MCP wrapper can fetch a platform binary from the package publisher's GitHub releases and execute it. This is a remote-code execution supply-chain surface, but no concrete malicious payload or exfiltration is present in the inspected TypeScript.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User-configured MCP startup invokes `bin/aide-wrapper.ts`; explicit CLI install can configure integrations.
Impact
A replaced or malicious release artifact could execute with the invoking user's permissions.
Mechanism
Unverified remote binary download followed by local execution; bootstrap dependency installation.
Rationale
The package implements a user-facing AI-agent extension but dynamically downloads and executes an unauthenticated native payload at runtime. That is a meaningful supply-chain capability warranting a warning, not a block absent evidence of malicious behavior.
Evidence
package.jsonbin/aide-wrapper.tssrc/lib/aide-downloader.tssrc/cli/codex-config.tssrc/cli/install.tssrc/cli/uninstall.tsbin/aide[.exe]bin/.aide-download.lock.aide/_logs/wrapper.lognode_modules~/.codex/config.toml~/.codex/hooks.json
Network endpoints3
api.github.com/repos/jmylchreest/aide/releases/latestgithub.com/jmylchreest/aide/releases/download/v${version}/${binaryName}github.com/jmylchreest/aide/releases/latest/download/${binaryName}

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `bin/aide-wrapper.ts` runs automatically when configured as the MCP server.
  • Wrapper downloads a missing/outdated executable, then executes it with inherited environment.
  • `src/lib/aide-downloader.ts` fetches release binaries without checksum or signature verification.
  • `bin/aide-wrapper.ts` runs `bun install --frozen-lockfile` when package `node_modules` is absent.
  • Explicit CLI install code writes Codex/OpenCode integration configuration and hooks.
Evidence against
  • `package.json` has no preinstall, install, or postinstall lifecycle hook.
  • Network URLs are package-aligned GitHub release/API endpoints.
  • No source evidence of credential harvesting, secret exfiltration, destructive commands, or stealthy foreign config mutation.
  • Configuration changes are exposed through explicit `aide-plugin install`/`uninstall` commands.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 69 file(s), 458 KB of source, external domains: api.anthropic.com, api.github.com, github.com, opencode.ai

Source & flagged code

3 flagged · loading source
bin/aide-wrapper.tsView file
matchType = previous_version_dangerous_delta matchedPackage = @jmylchreest/aide-plugin@0.1.4 matchedIdentity = npm:[redacted]:0.1.4 similarity = 0.913 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bin/aide-wrapper.tsView on unpkg
18L19: import { execFileSync, spawnSync } from "child_process"; L20: import {
High
Child Process

Package source references child process execution.

bin/aide-wrapper.tsView on unpkg · L18
316if (!existsSync(nodeModules)) { L317: log("node_modules missing — running bun install to restore dependencies"); L318: try { L319: const result = spawnSync("bun", ["install", "--frozen-lockfile"], { L320: cwd: PLUGIN_ROOT,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/aide-wrapper.tsView on unpkg · L316

Findings

1 Critical3 High3 Medium5 Low
CriticalPrevious Version Dangerous Deltabin/aide-wrapper.ts
HighChild Processbin/aide-wrapper.ts
HighShell
HighRuntime Package Installbin/aide-wrapper.ts
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings