registry  /  @pat-lewczuk/cezar  /  0.1.5

@pat-lewczuk/cezar@0.1.5

Local cockpit for running and tracking AI agent tasks in your repo. Uses your logged-in `claude` CLI and `gh` — zero config, zero database.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. User-started runs can launch an autonomous coding-agent CLI with edit and shell capability. Selected remote directory skills are copied into the project’s Claude skill directory and excluded from git.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `cezar`/`cezar run` or uses the local cockpit to start a task; selecting a team directory skill activates materialization.
Impact
Remote team-skill content can influence a user-started agent session and modify its project/worktree; no install-time or covert attack chain is confirmed.
Mechanism
Autonomous agent execution plus project-level Claude skill materialization from configured git repositories.
Rationale
Source inspection confirms an explicit-user-agent orchestration and remote skill materialization capability, but not concrete malware behavior. Warn for the guarded project-level AI-agent extension and autonomous execution risk; do not block.
Evidence
package.jsondist/core/codex-app-server-runner.jsdist/core/claude-cli-runner.jsdist/skills-remote.jsdist/workflows/run.jsdist/server/server.js<repo>/.ai/cezar/config.json<repo>/.claude/skills/<name>/<repo>/.git/info/exclude<repo>/.ai/cezar/
Network endpoints2
registry.npmjs.org/<package>/latestgithub.com/open-mercato/skills.git

Decision evidence

public snapshot
AI called this Suspicious at 89.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/skills-remote.js` clones configured team skills and writes selected directory skills into `<repo>/.claude/skills/<name>/`.
  • `dist/skills-remote.js` appends those generated skill paths to the repository’s `.git/info/exclude`.
  • `dist/core/codex-app-server-runner.js` launches Codex with workspace-write, approval policy documented as never, and network access enabled by default.
  • `dist/core/claude-cli-runner.js` starts Claude with `acceptEdits`; default workflow tools include Bash.
  • `dist/server/server.js` exposes a local agent-run endpoint and a team-skill refresh endpoint; normal bind is loopback.
Evidence against
  • `package.json` has only `prepublishOnly`; no install, postinstall, or preinstall hook executes for consumers.
  • No package source evidence of credential harvesting, token upload, hidden exfiltration, eval, native loading, or runtime package installation.
  • Network use is package-aligned: npm registry update checks, configured git skill repositories, and user-selected agent/forge actions.
  • CLI/server activation requires an explicit `cezar` command; the normal server binds to `127.0.0.1`.
  • Skill materialization is scoped to the selected project/worktree and occurs during a user-started agent step.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 108 file(s), 2.78 MB of source, external domains: 127.0.0.1, claude.com, example.com, github.com, opencode.ai, react.dev, registry.npmjs.org, www.ibm.com, www.w3.org

Source & flagged code

7 flagged · loading source
dist/core/claude-cli-runner.jsView file
1import { spawn as nodeSpawn } from 'node:child_process'; L2: import { fileURLToPath } from 'node:url';
High
Child Process

Package source references child process execution.

dist/core/claude-cli-runner.jsView on unpkg · L1
dist/core/process-usage.jsView file
164/** One system-wide snapshot in the `pid ppid rssKb cpu` shape `parsePsOutput` expects; null on L165: * any failure. Unix uses `ps`; Windows uses PowerShell's Win32_Process (WorkingSetSize → KB, L166: * cpu reported as 0 — the memory guard only needs RSS). */
High
Shell

Package source references shell execution.

dist/core/process-usage.jsView on unpkg · L164
web/dist/assets/jsx-Bz0zcwM4.jsView file
1var e=[Object.freeze(JSON.parse(`{"displayName":"JSX","name":"jsx","patterns":[{"include":"#directives"},{"include":"#statements"},{"include":"#shebang"}],"repository":{"access-mod...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

web/dist/assets/jsx-Bz0zcwM4.jsView on unpkg · L1
scripts/dev.mjsView file
36const args = ['run', script, '--', ...extraArgs]; L37: const env = { ...process.env, CEZ_API_PORT: String(apiPort) }; L38: return npmExecpath L39: ? spawn(process.execPath, [npmExecpath, ...args], { cwd: repoRoot, stdio: 'inherit', env }) L40: : spawn(npmCli, args, { cwd: repoRoot, stdio: 'inherit', env, shell: process.platform === 'win32' }); ... L51: try { L52: const res = await fetch(`http://127.0.0.1:${apiPort}/api/health`); L53: if (res.ok) break;
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

scripts/dev.mjsView on unpkg · L36
dist/core/backend-detect.jsView file
40available: false, L41: hint: 'install Claude Code (npm i -g @anthropic-ai/claude-code) and log in', L42: }; ... L47: try { L48: const { stdout } = await exec(bin, ['--version'], { timeout: 10_000 }); L49: return {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/core/backend-detect.jsView on unpkg · L40
web/dist/assets/jetbrains-mono-latin-wght-normal-B9CIFXIH.woff2View file
path = web/dist/assets/jetbrains-mono-latin-wght-normal-B9CIFXIH.woff2 kind = high_entropy_blob sizeBytes = 40404 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

web/dist/assets/jetbrains-mono-latin-wght-normal-B9CIFXIH.woff2View on unpkg
dist/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @pat-lewczuk/cezar@0.1.3 matchedIdentity = npm:QHBhdC1sZXdjenVrL2NlemFy:0.1.3 similarity = 0.464 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/index.jsView on unpkg

Findings

1 Critical5 High4 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/index.js
HighChild Processdist/core/claude-cli-runner.js
HighShelldist/core/process-usage.js
HighSame File Env Network Executionscripts/dev.mjs
HighRuntime Package Installdist/core/backend-detect.js
HighShips High Entropy Blobweb/dist/assets/jetbrains-mono-latin-wght-normal-B9CIFXIH.woff2
MediumDynamic Requireweb/dist/assets/jsx-Bz0zcwM4.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings