registry  /  @linzumi/cli  /  1.0.8

@linzumi/cli@1.0.8

Linzumi CLI — point a Codex agent at the real code on your laptop, with your team watching and steering from shared threads.

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package has powerful CLI runner capabilities, but they are explicit Linzumi/Codex workflows rather than hidden install-time behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Explicit user invocation of linzumi commands or packaged QA scripts
Impact
User-authorized runner/auth/network operations; no confirmed unconsented credential harvesting or payload execution.
Mechanism
package-aligned CLI orchestration of local/remote Codex runner services
Rationale
Static inspection shows high-risk primitives, but they are reachable through explicit CLI commands and match the package’s stated Linzumi/Codex runner functionality. The scanner’s remote decode-execute concern appears to be a false positive for base64url JSON harness configuration, with no lifecycle hook or hidden payload found.
Evidence
package.jsonbin/linzumi.jsbin/remote-codex-harness-worker.jsdist/index.jsdist/mcp-server.mjsscripts/qa/codex-keychain-partition-repro.sh
Network endpoints6
serve.linzumi.comapp.linzumi.comlinzumi.comapi.groq.com/openai/v1openrouter.ai/api/v1registry.npmjs.org/

Decision evidence

public snapshot
AI called this Clean at 84.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/index.js contains user-invoked remote Codex harness code gated by LINZUMI_REMOTE_CODEX_HARNESS_CONFIG_B64.
  • dist/index.js reads local auth/env tokens such as LINZUMI_MCP_ACCESS_TOKEN and thread runner tokens for CLI authentication.
  • dist/index.js uses child_process spawn/spawnSync for git discovery, Codex runner startup, and repair helpers.
Evidence against
  • package.json has no install/postinstall lifecycle hooks; prepack is publish-time only.
  • bin/linzumi.js only loads dist/index.js and calls main() on explicit CLI execution.
  • Remote harness decodes base64url JSON config, not a remote asset payload, and validates required fields before use.
  • Network endpoints are Linzumi/Codex/LLM provider URLs aligned with the CLI purpose, including https://serve.linzumi.com and https://app.linzumi.com.
  • scripts/qa/codex-keychain-partition-repro.sh creates/deletes a dedicated test keychain and is not lifecycle-reachable.
  • No hidden import-time exfiltration, persistence, destructive behavior, or AI-agent control-surface mutation was confirmed.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 12 file(s), 2.15 MB of source, external domains: 0.0.0.0, 127.0.0.1, app.linzumi.com, brew.sh, fonts.googleapis.com, fonts.gstatic.com, github.com, json-schema.org, linzumi.com, nodejs.org, registry.npmjs.org, serve.linzumi.com, www.w3.org

Source & flagged code

8 flagged · loading source
dist/index.jsView file
19if (parentPort) parentPort.postMessage(result); L20: `});var D_={};Ps(D_,{discoverCurrentGitProject:()=>HL});import{spawnSync as zL}from"node:child_process";import{homedir as UL}from"node:os";import{existsSync as C_,readdirSync as P_... L21: `).flatMap(t=>t.startsWith("worktree ")?[t.slice(9)]:[])}function fj(e){let n=["README.md","README.markdown","readme.md"].map(t=>Ts(e,t)).find(t=>C_(t));if(n!==void 0)try{let r=BL(... ... L30: `," ")}function _l(e){if(!ie(e))return;let n=q(e.payload)??{},t=q(e.actor),r=se(e.seq),o=h(e.type);if(!(r===void 0||o===void 0))return{seq:r,type:o,actorKind:h(t?.kind),actorSlug:h... L31: `)}function fS(e){return e.flatMap(n=>n.isImage?[{type:"localImage",path:n.path}]:[])}async function ng(e,n){let t=await Yh(e,n),r=eg(n.body,t,{uploadInstructionMode:"footer"}),o=t... L32: `)}function iF(e,n){let t=aF(e);switch(t.trim()===""&&n.length>0){case!0:return"Attached file.";case!1:return t}}function sF(e,n){return h(e.kind)==="codex_assistant_message"?{...e...
Critical
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution with blocking evidence.

dist/index.jsView on unpkg · L19
2const require = createRequire(import.meta.url); L3: var DL=Object.create;var Lh=Object.defineProperty;var AL=Object.getOwnPropertyDescriptor;var ML=Object.getOwnPropertyNames;var OL=Object.getPrototypeOf,LL=Object.prototype.hasOwnPr... L4: const { workerData, parentPort } = require('node:worker_threads'); ... L19: if (parentPort) parentPort.postMessage(result); L20: `});var D_={};Ps(D_,{discoverCurrentGitProject:()=>HL});import{spawnSync as zL}from"node:child_process";import{homedir as UL}from"node:os";import{existsSync as C_,readdirSync as P_... L21: `).flatMap(t=>t.startsWith("worktree ")?[t.slice(9)]:[])}function fj(e){let n=["README.md","README.markdown","readme.md"].map(t=>Ts(e,t)).find(t=>C_(t));if(n!==void 0)try{let r=BL(... L22: `).map(o=>o.trim()).find(o=>o.startsWith("# "))?.replace(/^#+\s+/u,"").trim();return r===void 0||r===""?void 0:r}catch{return}}function pj(e){return Object.fromEntries(Object.entri... L23: `).filter(n=>n.trim()!=="").flatMap(n=>{try{let t=JSON.parse(n);return ie(t)?[t]:[]}catch{return[]}})}catch{return[]}}function Pj(e){return e.flatMap((n,t)=>{if(n.type!=="response_... ... L27: ${u}`.split(` L28: `).filter(c=>c.trim()!=="")}catch{return[]}final
Critical
Remote Asset Decode Execute

Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.

dist/index.jsView on unpkg · L2
19Trigger-reachable chain: manifest.bin -> bin/linzumi.js -> dist/index.js L19: if (parentPort) parentPort.postMessage(result); L20: `});var D_={};Ps(D_,{discoverCurrentGitProject:()=>HL});import{spawnSync as zL}from"node:child_process";import{homedir as UL}from"node:os";import{existsSync as C_,readdirSync as P_... L21: `).flatMap(t=>t.startsWith("worktree ")?[t.slice(9)]:[])}function fj(e){let n=["README.md","README.markdown","readme.md"].map(t=>Ts(e,t)).find(t=>C_(t));if(n!==void 0)try{let r=BL(... ... L30: `," ")}function _l(e){if(!ie(e))return;let n=q(e.payload)??{},t=q(e.actor),r=se(e.seq),o=h(e.type);if(!(r===void 0||o===void 0))return{seq:r,type:o,actorKind:h(t?.kind),actorSlug:h... L31: `)}function fS(e){return e.flatMap(n=>n.isImage?[{type:"localImage",path:n.path}]:[])}async function ng(e,n){let t=await Yh(e,n),r=eg(n.body,t,{uploadInstructionMode:"footer"}),o=t... L32: `)}function iF(e,n){let t=aF(e);switch(t.trim()===""&&n.length>0){case!0:return"Attached file.";case!1:return t}}function sF(e,n){return h(e.kind)==="codex_assistant_message"?{...e...
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.jsView on unpkg · L19
19if (parentPort) parentPort.postMessage(result); L20: `});var D_={};Ps(D_,{discoverCurrentGitProject:()=>HL});import{spawnSync as zL}from"node:child_process";import{homedir as UL}from"node:os";import{existsSync as C_,readdirSync as P_... L21: `).flatMap(t=>t.startsWith("worktree ")?[t.slice(9)]:[])}function fj(e){let n=["README.md","README.markdown","readme.md"].map(t=>Ts(e,t)).find(t=>C_(t));if(n!==void 0)try{let r=BL(...
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L19
19if (parentPort) parentPort.postMessage(result); L20: `});var D_={};Ps(D_,{discoverCurrentGitProject:()=>HL});import{spawnSync as zL}from"node:child_process";import{homedir as UL}from"node:os";import{existsSync as C_,readdirSync as P_... L21: `).flatMap(t=>t.startsWith("worktree ")?[t.slice(9)]:[])}function fj(e){let n=["README.md","README.markdown","readme.md"].map(t=>Ts(e,t)).find(t=>C_(t));if(n!==void 0)try{let r=BL(... ... L30: `," ")}function _l(e){if(!ie(e))return;let n=q(e.payload)??{},t=q(e.actor),r=se(e.seq),o=h(e.type);if(!(r===void 0||o===void 0))return{seq:r,type:o,actorKind:h(t?.kind),actorSlug:h... L31: `)}function fS(e){return e.flatMap(n=>n.isImage?[{type:"localImage",path:n.path}]:[])}async function ng(e,n){let t=await Yh(e,n),r=eg(n.body,t,{uploadInstructionMode:"footer"}),o=t... L32: `)}function iF(e,n){let t=aF(e);switch(t.trim()===""&&n.length>0){case!0:return"Attached file.";case!1:return t}}function sF(e,n){return h(e.kind)==="codex_assistant_message"?{...e...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.jsView on unpkg · L19
2const require = createRequire(import.meta.url); L3: var DL=Object.create;var Lh=Object.defineProperty;var AL=Object.getOwnPropertyDescriptor;var ML=Object.getOwnPropertyNames;var OL=Object.getPrototypeOf,LL=Object.prototype.hasOwnPr... L4: const { workerData, parentPort } = require('node:worker_threads'); ... L19: if (parentPort) parentPort.postMessage(result); L20: `});var D_={};Ps(D_,{discoverCurrentGitProject:()=>HL});import{spawnSync as zL}from"node:child_process";import{homedir as UL}from"node:os";import{existsSync as C_,readdirSync as P_... L21: `).flatMap(t=>t.startsWith("worktree ")?[t.slice(9)]:[])}function fj(e){let n=["README.md","README.markdown","readme.md"].map(t=>Ts(e,t)).find(t=>C_(t));if(n!==void 0)try{let r=BL(... L22: `).map(o=>o.trim()).find(o=>o.startsWith("# "))?.replace(/^#+\s+/u,"").trim();return r===void 0||r===""?void 0:r}catch{return}}function pj(e){return Object.fromEntries(Object.entri... L23: `).filter(n=>n.trim()!=="").flatMap(n=>{try{let t=JSON.parse(n);return ie(t)?[t]:[]}catch{return[]}})}catch{return[]}}function Pj(e){return e.flatMap((n,t)=>{if(n.type!=="response_... ... L27: ${u}`.split(` L28: `).filter(c=>c.trim()!=="")}catch{return[]}final
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/index.jsView on unpkg · L2
2Cross-file remote execution chain: dist/index.js spawns dist/mcp-server.mjs; helper contains network access plus dynamic code execution. L2: const require = createRequire(import.meta.url); L3: var DL=Object.create;var Lh=Object.defineProperty;var AL=Object.getOwnPropertyDescriptor;var ML=Object.getOwnPropertyNames;var OL=Object.getPrototypeOf,LL=Object.prototype.hasOwnPr... L4: const { workerData, parentPort } = require('node:worker_threads'); ... L19: if (parentPort) parentPort.postMessage(result); L20: `});var D_={};Ps(D_,{discoverCurrentGitProject:()=>HL});import{spawnSync as zL}from"node:child_process";import{homedir as UL}from"node:os";import{existsSync as C_,readdirSync as P_... L21: `).flatMap(t=>t.startsWith("worktree ")?[t.slice(9)]:[])}function fj(e){let n=["README.md","README.markdown","readme.md"].map(t=>Ts(e,t)).find(t=>C_(t));if(n!==void 0)try{let r=BL(... L22: `).map(o=>o.trim()).find(o=>o.startsWith("# "))?.replace(/^#+\s+/u,"").trim();return r===void 0||r===""?void 0:r}catch{return}}function pj(e){return Object.fromEntries(Object.entri... L23: `).filter(n=>n.trim()!=="").flatMap(n=>{try{let t=JSON.parse(n);return ie(t)?[t]:[]}catch{return[]}})}catch{return[]}}func…
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/index.jsView on unpkg · L2
scripts/qa/codex-keychain-partition-repro.shView file
path = scripts/qa/codex-keychain-partition-repro.sh kind = build_helper sizeBytes = 5989 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/qa/codex-keychain-partition-repro.shView on unpkg

Findings

3 Critical5 High5 Medium5 Low
CriticalSame File Env Network Executiondist/index.js
CriticalRemote Asset Decode Executedist/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
HighChild Processdist/index.js
HighShell
HighCommand Output Exfiltrationdist/index.js
HighSandbox Evasion Gated Capabilitydist/index.js
HighCross File Remote Execution Contextdist/index.js
MediumDynamic Require
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperscripts/qa/codex-keychain-partition-repro.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings