AI Security Review
scanned 11d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a user-invoked local tracking server with optional Codex/Claude hook integration for reward notifications.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Running `kitcode`, `kitcode serve`, `kitcode codex on`, or `kitcode claude on`.
Impact
Tracks local project activity/reward state and can add opt-in agent hooks; no exfiltration or unconsented lifecycle mutation observed.
Mechanism
local server, filesystem state, optional agent hook/skill installer
Rationale
Static inspection shows explicit CLI commands for a local activity/reward tool, including opt-in agent hook installation, with no lifecycle execution, credential theft, payload loading, or exfiltration. The risky primitives are aligned with the advertised local server and integration features.
Evidence
package.jsonbin/kitcode.mjssrc/hook-prompt.mjssrc/hook-installers.mjssrc/skill-installer.mjssrc/runner-installer.mjssrc/api.mjssrc/runtime.mjssrc/store.mjssrc/cors.mjssrc/git.mjssrc/vibe.mjs~/.kitcode/state.json~/.kitcode/hook.log~/.kitcode/bin/kitcode~/.kitcode/bin/kitcode.cmd~/.codex/hooks.json~/.codex/skills/kitcode/SKILL.md~/.claude/settings.json~/.claude/skills/kitcode/SKILL.md
Network endpoints10
kitcode.onedigitas.com/kitcode.onedigitas.com127.0.0.1:4747localhost:8686127.0.0.1:8686localhost:3000127.0.0.1:3000localhost:5173127.0.0.1:5173github.com/onedigitas/kit-code/blob/main/README.md
Decision evidence
public snapshotAI called this Clean at 90.0% confidence as Benign with medium false-positive risk.
Evidence for block
- User-invoked `codex on`/`claude on` writes agent hook configs and skills via src/hook-installers.mjs and src/skill-installer.mjs.
- src/runner-installer.mjs creates ~/.kitcode/bin/kitcode runner that can fall back to `npx -y @onedigitas/kitcode`.
- bin/kitcode.mjs opens external dashboard URL when run unless disabled.
Evidence against
- package.json has no install/preinstall/postinstall lifecycle hooks.
- AI-agent hook installation is explicit CLI functionality, not import-time or install-time execution.
- src/hook-prompt.mjs only reads hook stdin, checks local reward state, sends desktop notification, and emits bounded hook context.
- No credential/env harvesting, remote payload download, destructive behavior, persistence beyond user-invoked local integration files, or network exfiltration found.
- Network use is package-aligned: local health check/server and documented dashboard URL.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcebin/kitcode.mjsView file
•matchType = previous_version_dangerous_delta
matchedPackage = @onedigitas/kitcode@0.1.2
matchedIdentity = npm:QG9uZWRpZ2l0YXMva2l0Y29kZQ:0.1.2
similarity = 0.636
summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version.
bin/kitcode.mjsView on unpkgFindings
1 Critical2 Medium4 Low
CriticalPrevious Version Dangerous Deltabin/kitcode.mjs
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings