registry  /  @p-moon/yue-cli  /  0.2.14

@p-moon/yue-cli@0.2.14

CLI tool for mydb.jdfmgt.com — query databases and execute SQL via browser session

AI Security Review

scanned 8h ago · by lpm-firewall-ai

The explicit TUI command can fetch and execute an unpinned external agent binary or pipe a remote installer into `sh`. It also imports local Codex/Claude provider credentials into a package-owned agent configuration.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `yue-cli tui` or `yue` when the `omp` agent is absent or outdated.
Impact
A compromised upstream release or installer can execute arbitrary code; local LLM credentials are exposed to the spawned agent configuration.
Mechanism
explicit agent bootstrap with remote binary execution and local credential import
Rationale
Source inspection confirms a user-invoked remote-code bootstrap and credential import path, not the scanner's alleged install-time malware chain. The behavior warrants a warning rather than a block because it is explicit-user-triggered and does not mutate foreign agent controls or directly exfiltrate data.
Evidence
package.jsonbin/yue.mjsdist/bin/yue-cli.js.yue-cli/extensions/yue-tools.ts.yue-cli/SYSTEM_PROMPT.md~/.codex/config.toml~/.claude/settings.json~/.yue-cli/agent/models.yml~/.local/bin/omp
Network endpoints3
api.github.com/repos/can1357/oh-my-pi/releases/latestgithub.com/can1357/oh-my-pi/releases/download/omp.sh/install

Decision evidence

public snapshot
AI called this Suspicious at 92.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `dist/bin/yue-cli.js` downloads a latest-release `omp` binary, chmods it, then executes it.
  • `dist/bin/yue-cli.js` falls back to `curl -fsSL https://omp.sh/install | sh` from the `tui` command.
  • `dist/bin/yue-cli.js` reads `~/.codex/config.toml` and `~/.claude/settings.json`, including configured API tokens.
  • Detected provider data, including API keys when present, is written to `~/.yue-cli/agent/models.yml` for the spawned agent.
Evidence against
  • `package.json` has only `prepublishOnly`; no install-time lifecycle hook executes on consumers.
  • Remote installation and agent setup occur only after explicit `yue-cli tui`/`yue` invocation.
  • No package code sends harvested config contents to an attacker-controlled endpoint.
  • Agent files are package-owned under `~/.yue-cli`; no foreign AI-agent config is modified.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 546 KB of source, external domains: 127.0.0.1, api-pserve-proxy.jd.com, api.github.com, api.jsf.jd.com, api.origin.jd.com, digger.jd.com, dongmonitor.jd.com, github.com, hl.taishan.jd.com, intest-manager.jd.com, jagile.jd.com, joybuy.taishan.jd.com, joyspace.jd.com, joywatch.jd.com, mydb.jdfmgt.com, omp.sh, openme.jd.local, origin.jmq.jd.com, taishan.jd.com, test-intl.taishan.jd.com, test.intest-client.jd.com, test.taishan.jd.com, th.intest-manager.jd.com, th.taishan.jd.com, uk-test.intest-client.jd.com, uk.intest-manager.jd.com, www.google.com

Source & flagged code

7 flagged · loading source
bin/yue.mjsView file
8*/ L9: import { spawn } from 'node:child_process'; L10: import { resolve } from 'node:path';
High
Child Process

Package source references child process execution.

bin/yue.mjsView on unpkg · L8
dist/bin/yue-cli.jsView file
6115const binaryName = `omp-${platform3}-${arch2}`; L6116: const installDir = process.env.PI_INSTALL_DIR || path7.join(os7.homedir(), ".local", "bin"); L6117: const installPath = path7.join(installDir, "omp"); L6118: let releaseJson = null; L6119: releaseJson = httpsGetSync(`https://api.github.com/repos/${REPO}/releases/latest`, 1e4); L6120: if (!releaseJson) { L6121: try { L6122: const r = spawnSync("curl", [ L6123: "-fsSL",
Critical
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution with blocking evidence.

dist/bin/yue-cli.jsView on unpkg · L6115
71} L72: return { ok: false, status: 504, body: `Max retries (${maxRetries}) exceeded \u2014 ${label}` }; L73: } ... L100: import * as crypto3 from "node:crypto"; L101: import * as child_process from "node:child_process"; L102: import { createRequire } from "node:module"; ... L110: try { L111: return JSON.parse(fs4.readFileSync(JOBS_FILE, "utf-8")); L112: } catch { ... L172: const nodeCronPath = require2.resolve("node-cron"); L173: const projectRoot = path4.resolve(import.meta.dirname || __dirname, "../.."); L174: const binTsPath = path4.join(projectRoot, "bin/yue-cli.ts");
Critical
Download Execute

Source downloads or fetches remote code and executes it.

dist/bin/yue-cli.jsView on unpkg · L71
211stdio: ['ignore', 'pipe', 'pipe'], L212: shell: true, L213: detached: false,
High
Shell

Package source references shell execution.

dist/bin/yue-cli.jsView on unpkg · L211
6075}); L6076: req.end(); L6077: }); L6078: }; L6079: const { execSync: execSync3 } = __require("node:child_process"); L6080: const result = execSync3( L6081: `node -e "const https=require('https');const url='${urlStr.replace(/'/g, "\\'")}';const bufs=[];let n=0;const req=https.get(url,{timeout:${timeout}},res=>{if([301,302].includes(res... L6082: { encoding: "buffer", timeout: timeout + 5e3, maxBuffer: 100 * 1024 * 1024 }
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/bin/yue-cli.jsView on unpkg · L6075
71Cross-file remote execution chain: dist/bin/yue-cli.js spawns dist/bin/yue.js; helper contains network access plus dynamic code execution. L71: } L72: return { ok: false, status: 504, body: `Max retries (${maxRetries}) exceeded \u2014 ${label}` }; L73: } ... L100: import * as crypto3 from "node:crypto"; L101: import * as child_process from "node:child_process"; L102: import { createRequire } from "node:module"; ... L110: try { L111: return JSON.parse(fs4.readFileSync(JOBS_FILE, "utf-8")); L112: } catch { ... L172: const nodeCronPath = require2.resolve("node-cron"); L173: const projectRoot = path4.resolve(import.meta.dirname || __dirname, "../.."); L174: const binTsPath = path4.join(projectRoot, "bin/yue-cli.ts");
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/bin/yue-cli.jsView on unpkg · L71
bin/yue-cli.mjsView file
5const __main = new URL('file:///' + join(__dirname, '..', 'dist', 'bin', 'yue-cli.js').replace(/^\//, '')); L6: await import(__main.href);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/yue-cli.mjsView on unpkg · L5

Findings

2 Critical4 High4 Medium5 Low
CriticalSame File Env Network Executiondist/bin/yue-cli.js
CriticalDownload Executedist/bin/yue-cli.js
HighChild Processbin/yue.mjs
HighShelldist/bin/yue-cli.js
HighCommand Output Exfiltrationdist/bin/yue-cli.js
HighCross File Remote Execution Contextdist/bin/yue-cli.js
MediumDynamic Requirebin/yue-cli.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings