AI Security Review
scanned 12d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a user-invoked local activity/reward server with optional documented Codex/Claude notification hooks.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs kitcode CLI commands, especially serve/run or codex/claude on.
Impact
Local aggregate activity is served to allowed origins; optional hooks add reward reminders only after explicit installation.
Mechanism
local server, project activity scanning, optional AI hook notification
Rationale
Source inspection shows potentially sensitive primitives are aligned with the advertised local companion server and explicit hook installer workflow. There is no install-time execution, unconsented AI-agent hook mutation, credential collection, destructive behavior, or remote exfiltration.
Evidence
package.jsonbin/kitcode.mjssrc/api.mjssrc/cors.mjssrc/git.mjssrc/hook-installers.mjssrc/hook-prompt.mjssrc/runtime.mjssrc/store.mjssrc/vibe.mjsREADME.md~/.kitcode/state.json~/.kitcode/hook.log~/.codex/hooks.json~/.claude/settings.jsontracked project files read for hashed aggregate counts
Network endpoints9
kitcode.onedigitas.com/kitcode.onedigitas.com127.0.0.1:4747localhost:8686127.0.0.1:8686localhost:3000127.0.0.1:3000localhost:5173127.0.0.1:5173
Decision evidence
public snapshotAI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
- src/hook-installers.mjs can write ~/.codex/hooks.json and ~/.claude/settings.json when user runs codex/claude on.
- src/hook-prompt.mjs injects a short hookSpecificOutput reminder into Codex/Claude prompts after reward milestones.
- src/vibe.mjs recursively reads local project files to count hashed line changes.
Evidence against
- package.json has no install/preinstall/postinstall lifecycle scripts.
- bin/kitcode.mjs only runs as CLI bin; default starts local server on 127.0.0.1.
- README.md documents local server, dashboard CORS, and Codex/Claude hook commands.
- src/api.mjs exposes aggregate summary/reward endpoints, not raw source or file-read endpoints.
- No credential harvesting, remote payload loading, eval/vm/Function, or outbound exfiltration found.
- Hook installation is explicit via kitcode codex on or kitcode claude on, not automatic at install/import time.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
UrlStrings
Source & flagged code
1 flagged · loading sourcebin/kitcode.mjsView file
•matchType = previous_version_dangerous_delta
matchedPackage = @onedigitas/kitcode@0.1.1
matchedIdentity = npm:QG9uZWRpZ2l0YXMva2l0Y29kZQ:0.1.1
similarity = 0.545
summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version.
bin/kitcode.mjsView on unpkgFindings
1 Critical2 Medium3 Low
CriticalPrevious Version Dangerous Deltabin/kitcode.mjs
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings