registry  /  @p-moon/yue-cli  /  0.2.6

@p-moon/yue-cli@0.2.6

CLI tool for mydb.jdfmgt.com — query databases and execute SQL via browser session

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No install-time attack surface is confirmed. Explicit `yue-cli agent` use can download and shell-execute the OMP installer, import local AI-agent credentials into Yue's agent configuration, and launch a capable agent extension.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `yue-cli agent` or `yue` TUI mode.
Impact
A user-invoked agent setup can execute remote installer code and make locally configured LLM credentials available to the launched agent.
Mechanism
Explicit agent bootstrap with local credential discovery and remote installer execution.
Rationale
The scanner's download/execute finding is real but confined to an explicit agent command, not package installation. Source supports a warning for dangerous first-party agent setup rather than a malicious block.
Evidence
package.jsonbin/yue.mjsbin/yue-cli.mjsdist/bin/yue-cli.js.yue-cli/extensions/yue-tools.ts.yue-cli/config.yml
Network endpoints1
omp.sh/install

Decision evidence

public snapshot
AI called this Suspicious at 93.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/bin/yue-cli.js` runs `curl -fsSL https://omp.sh/install | sh` when explicit `agent` use cannot find `omp`.
  • `dist/bin/yue-cli.js` reads `~/.codex/config.toml` and `~/.claude/settings.json`, including configured bearer/auth tokens.
  • The `agent` command writes detected LLM settings to `~/.yue-cli/agent/models.yml` and launches the Oh My Pi agent with a package extension.
  • `.yue-cli/extensions/yue-tools.ts` exposes an agent tool that can execute arbitrary `yue` subcommands after agent approval.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall`; its only lifecycle hook is `prepublishOnly`.
  • `bin/yue-cli.mjs` only imports the CLI bundle when the user invokes a package binary.
  • Credential reads and agent-home writes occur only inside the explicit `agent` command path.
  • No source evidence sends harvested LLM credentials to a package-controlled remote endpoint or performs hidden install-time persistence.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 529 KB of source, external domains: 127.0.0.1, api-pserve-proxy.jd.com, api.jsf.jd.com, api.origin.jd.com, digger.jd.com, dongmonitor.jd.com, hl.taishan.jd.com, intest-manager.jd.com, jagile.jd.com, joybuy.taishan.jd.com, joyspace.jd.com, joywatch.jd.com, mydb.jdfmgt.com, omp.sh, openme.jd.local, origin.jmq.jd.com, taishan.jd.com, test-intl.taishan.jd.com, test.intest-client.jd.com, test.taishan.jd.com, th.intest-manager.jd.com, th.taishan.jd.com, uk-test.intest-client.jd.com, uk.intest-manager.jd.com, www.google.com

Source & flagged code

5 flagged · loading source
bin/yue.mjsView file
8*/ L9: import { spawn } from 'node:child_process'; L10: import { resolve } from 'node:path';
High
Child Process

Package source references child process execution.

bin/yue.mjsView on unpkg · L8
dist/bin/yue-cli.jsView file
40import * as crypto3 from "node:crypto"; L41: import * as child_process from "node:child_process"; L42: import { createRequire } from "node:module"; ... L50: try { L51: return JSON.parse(fs4.readFileSync(JOBS_FILE, "utf-8")); L52: } catch { ... L112: const nodeCronPath = require2.resolve("node-cron"); L113: const projectRoot = path4.resolve(import.meta.dirname || __dirname, "../.."); L114: const binTsPath = path4.join(projectRoot, "bin/yue-cli.ts"); ... L136: fs.appendFileSync(LOG_FILE, line); L137: process.stdout.write(line); L138: }
Critical
Download Execute

Source downloads or fetches remote code and executes it.

dist/bin/yue-cli.jsView on unpkg · L40
151stdio: ['ignore', 'pipe', 'pipe'], L152: shell: true, L153: detached: false,
High
Shell

Package source references shell execution.

dist/bin/yue-cli.jsView on unpkg · L151
40Cross-file remote execution chain: dist/bin/yue-cli.js spawns dist/bin/yue.js; helper contains network access plus dynamic code execution. L40: import * as crypto3 from "node:crypto"; L41: import * as child_process from "node:child_process"; L42: import { createRequire } from "node:module"; ... L50: try { L51: return JSON.parse(fs4.readFileSync(JOBS_FILE, "utf-8")); L52: } catch { ... L112: const nodeCronPath = require2.resolve("node-cron"); L113: const projectRoot = path4.resolve(import.meta.dirname || __dirname, "../.."); L114: const binTsPath = path4.join(projectRoot, "bin/yue-cli.ts"); ... L136: fs.appendFileSync(LOG_FILE, line); L137: process.stdout.write(line); L138: }
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/bin/yue-cli.jsView on unpkg · L40
bin/yue-cli.mjsView file
5const __main = new URL('file:///' + join(__dirname, '..', 'dist', 'bin', 'yue-cli.js').replace(/^\//, '')); L6: await import(__main.href);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/yue-cli.mjsView on unpkg · L5

Findings

1 Critical3 High4 Medium5 Low
CriticalDownload Executedist/bin/yue-cli.js
HighChild Processbin/yue.mjs
HighShelldist/bin/yue-cli.js
HighCross File Remote Execution Contextdist/bin/yue-cli.js
MediumDynamic Requirebin/yue-cli.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings