registry  /  @mushi-mushi/cli  /  0.24.0

@mushi-mushi/cli@0.24.0

CLI for Mushi Mushi — `mushi init` wizard installs the right SDK for your framework, plus report triage and pipeline health commands

AI Security Review

scanned 8d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a documented CLI that stores Mushi credentials, writes project env files, and optionally wires package-aligned MCP server entries only when the user runs CLI setup/connect commands.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User runs mushi init, mushi connect, mushi setup, or related CLI subcommands
Impact
Credentials may be stored in local config/env/MCP files and sent to the configured Mushi endpoint for intended authentication or telemetry; no install-time hijack or exfiltration was confirmed.
Mechanism
Package-aligned CLI configuration, API calls, SDK installation, and optional MCP wiring
Rationale
Scanner credential-exfiltration and persistence labels map to documented, user-invoked Mushi setup flows rather than install-time or hidden behavior. The MCP/control-surface writes are explicit package-aligned CLI features, not unconsented lifecycle mutation of a foreign agent surface.
Evidence
package.jsonREADME.mddist/index.jsdist/init.jsdist/connect-7LTQRBEW.jsdist/chunk-BWASDQI6.jsdist/chunk-LDPFTQLE.js~/.config/mushi/config.json~/.mushirc.env.local.env.cursor/mcp.json.gitignore.claude/mcp.json.claude/rules/mushi.md.continue/mcp.json~/.config/zed/settings.json.cursorrules
Network endpoints4
dxptnwrhwsqckaftyymj.supabase.co/functions/v1/apiregistry.npmjs.orgkensaur.us/mushi-mushi/adminlocalhost:6464

Decision evidence

public snapshot
AI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/index.js user-invoked setup/connect can write .cursor/.claude/.continue/Zed MCP configs with npx @mushi-mushi/mcp@latest and MUSHI credentials
  • dist/init.js init can install framework SDK packages and append MUSHI_* values to .env.local/.env after interactive setup
  • dist/init.js sends opt-out funnel/test-report requests with the Mushi API key to the configured endpoint
Evidence against
  • package.json has no npm lifecycle scripts; only bin is ./dist/index.js
  • README.md documents init/connect/setup behavior including env writes, Cursor MCP wiring, credentials, and update check
  • dist/index.js only registers CLI commands at import/entry; risky writes occur from explicit commands, not install-time
  • dist/chunk-LDPFTQLE.js default endpoint is package-aligned Mushi Cloud and enforces https except local hosts
  • No broad environment harvesting found; env reads are MUSHI_* config, CI/debug flags, package-manager detection, and BYOK only for explicit keys add
  • MCP/IDE writes are package-named and user-invoked, with dry-run/no-ide/no-env controls and gitignore warnings
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 12 file(s), 320 KB of source, external domains: dxptnwrhwsqckaftyymj.supabase.co, github.com, kensaur.us, registry.npmjs.org, xyz.supabase.co, your-app.vercel.app

Source & flagged code

4 flagged · loading source
dist/index.jsView file
52import * as p from "@clack/prompts"; L53: import { spawn } from "child_process"; L54: import { randomUUID } from "crypto"; ... L62: let end = endpoint.length; L63: while (end > 0 && endpoint.charCodeAt(end - 1) === 47) end--; L64: return endpoint.slice(0, end); L65: } L66: async function deviceFetch(url, init = {}) { L67: const controller = new AbortController(); ... L79: headers: { "Content-Type": "application/json" }, L80: body: JSON.stringify(clientId ? { client_id: clientId } : {}) L81: });
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/index.jsView on unpkg · L52
52Trigger-reachable chain: manifest.exports -> dist/index.js L52: import * as p from "@clack/prompts"; L53: import { spawn } from "child_process"; L54: import { randomUUID } from "crypto"; ... L62: let end = endpoint.length; L63: while (end > 0 && endpoint.charCodeAt(end - 1) === 47) end--; L64: return endpoint.slice(0, end); L65: } L66: async function deviceFetch(url, init = {}) { L67: const controller = new AbortController(); ... L79: headers: { "Content-Type": "application/json" }, L80: body: JSON.stringify(clientId ? { client_id: clientId } : {}) L81: });
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.jsView on unpkg · L52
52import * as p from "@clack/prompts"; L53: import { spawn } from "child_process"; L54: import { randomUUID } from "crypto"; ... L62: let end = endpoint.length; L63: while (end > 0 && endpoint.charCodeAt(end - 1) === 47) end--; L64: return endpoint.slice(0, end); L65: } L66: async function deviceFetch(url, init = {}) { L67: const controller = new AbortController(); ... L79: headers: { "Content-Type": "application/json" }, L80: body: JSON.stringify(clientId ? { client_id: clientId } : {}) L81: });
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/index.jsView on unpkg · L52
dist/chunk-BWASDQI6.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @mushi-mushi/cli@0.23.0 matchedIdentity = npm:QG11c2hpLW11c2hpL2NsaQ:0.23.0 similarity = 0.667 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/chunk-BWASDQI6.jsView on unpkg

Findings

3 Critical4 Medium4 Low
CriticalCredential Exfiltrationdist/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
CriticalPrevious Version Dangerous Deltadist/chunk-BWASDQI6.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/index.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings