registry  /  @quantum-ai/roo-code-cli  /  0.2.8

@quantum-ai/roo-code-cli@0.2.8

AI Security Review

scanned 2d ago · by lpm-firewall-ai

No confirmed malicious install-time or import-time attack surface was found. The package is a user-invoked AI coding agent CLI with high-risk auto-approved file and command capabilities by default when run.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs the `roo` CLI with an API key/prompt or invokes `roo upgrade`.
Impact
A remote model can drive workspace reads, writes, MCP, and command execution under the CLI's approval settings; upgrade executes a remote installer script.
Mechanism
user-invoked AI agent local file and shell tool bridge
Attack narrative
The risky behavior is activated by running the CLI, not by package installation. The CLI embeds Roo Code extension logic, configures provider credentials from user-supplied flags/env vars, and in its default no-approval path enables broad read/write/MCP/command permissions for the agent. This is dangerous dual-use functionality aligned with an AI coding agent, but static inspection did not find covert credential harvesting, persistence, dependency confusion, or automatic lifecycle execution.
Rationale
Static inspection supports a warning for dangerous user-invoked agent capabilities, not a publish block for malware. The scanner's child_process/network findings map to explicit CLI upgrade and agent functionality rather than covert execution.
Evidence
package.jsonapps/cli/package.jsonapps/cli/dist/index.cjsapps/cli/extension/wasm_exec_node.jsapps/cli/extension/package.json~/.roo/cli-settings.json~/.vscode-mock/global-storageworkspace paths selected by the usertemporary roo-cli-* storage when --ephemeral is used
Network endpoints2
api.github.com/repos/RooCodeInc/Roo-Code/releases?per_page=100raw.githubusercontent.com/RooCodeInc/Roo-Code/main/apps/cli/install.sh

Decision evidence

public snapshot
AI called this Suspicious at 78.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • apps/cli/dist/index.cjs sets nonInteractive auto-approval to allow read/write/MCP/execute and allowedCommands ['*'] when approval is not required.
  • apps/cli/dist/index.cjs loads a bundled Roo extension and bridges prompts to provider-backed agent tools over the user's workspace.
  • apps/cli/dist/index.cjs upgrade command runs `sh -c` with curl-piped installer from raw.githubusercontent.com.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks; bin is user-invoked `roo`.
  • API keys are read from CLI flags or provider env vars for configured LLM providers, not harvested broadly or exfiltrated in reviewed code.
  • File writes target CLI settings/storage, extension mock storage, task workspace actions, or explicit upgrade flow.
  • apps/cli/extension/wasm_exec_node.js is standard Go wasm runner scaffolding, not an install/import payload.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 4 file(s), 1.22 MB of source, external domains: api.github.com, api.minimax.io, api.minimaxi.com, api.moonshot.ai, api.moonshot.cn, dev.to, dotenvx.com, feross.org, fireworks.ai, github.com, jimmy.warting.se, platform.minimax.io, raw.githubusercontent.com, sheetjs.com, www.eliostruyf.com
Oversized source lightweight scan
apps/cli/extension/extension.js32.8 MB file, sampled 256 KB
FilesystemChildProcessEnvironmentVarsCryptoHighEntropyStringsUrlStringsdev.todotenvx.comfeross.orggithub.comjimmy.warting.sesheetjs.comwww.eliostruyf.com
apps/cli/extension/workers/countTokens.js2.28 MB file, sampled 256 KB
FilesystemChildProcessEvalShellHighEntropyStrings

Source & flagged code

6 flagged · loading source
apps/cli/dist/index.cjsView file
matchType = previous_version_dangerous_delta matchedPackage = @quantum-ai/roo-code-cli@0.2.7 matchedIdentity = npm:[redacted]:0.2.7 similarity = 0.750 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

apps/cli/dist/index.cjsView on unpkg
18696// src/commands/cli/upgrade.ts L18697: var import_child_process = require("child_process"); L18698: var RELEASES_URL = "https://api.github.com/repos/RooCodeInc/Roo-Code/releases?per_page=100";
High
Child Process

Package source references child process execution.

apps/cli/dist/index.cjsView on unpkg · L18696
160]).optional(), L161: codebaseIndexEmbedderBaseUrl: import_zod2.z.string().optional(), L162: codebaseIndexEmbedderModelId: import_zod2.z.string().optional(), ... L11429: if (import_fs.default.existsSync(candidate)) { L11430: const packageJson = JSON.parse(import_fs.default.readFileSync(candidate, "utf-8")); L11431: return packageJson.version; ... L18696: // src/commands/cli/upgrade.ts L18697: var import_child_process = require("child_process"); L18698: var RELEASES_URL = "https://api.github.com/repos/RooCodeInc/Roo-Code/releases?per_page=100";
High
Remote Agent Bridge

Source exposes local file and command tools to a remote model endpoint.

apps/cli/dist/index.cjsView on unpkg · L160
apps/cli/extension/wasm_exec_node.jsView file
12globalThis.require = require; L13: globalThis.fs = require("fs"); L14: globalThis.TextEncoder = require("util").TextEncoder;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

apps/cli/extension/wasm_exec_node.jsView on unpkg · L12
apps/cli/extension/tree-sitter-elm.wasmView file
path = apps/cli/extension/tree-sitter-elm.wasm kind = wasm_module sizeBytes = 148886 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

apps/cli/extension/tree-sitter-elm.wasmView on unpkg
apps/cli/extension/workers/countTokens.jsView file
path = [redacted].js kind = oversized_source_file sizeBytes = 2395419 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

apps/cli/extension/workers/countTokens.jsView on unpkg

Findings

1 Critical4 High4 Medium6 Low
CriticalPrevious Version Dangerous Deltaapps/cli/dist/index.cjs
HighChild Processapps/cli/dist/index.cjs
HighShell
HighRemote Agent Bridgeapps/cli/dist/index.cjs
HighOversized Source Fileapps/cli/extension/workers/countTokens.js
MediumDynamic Requireapps/cli/extension/wasm_exec_node.js
MediumEnvironment Vars
MediumShips Wasm Moduleapps/cli/extension/tree-sitter-elm.wasm
MediumStructural Risk Force Deep Review
LowScripts Present
LowEval
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License