registry  /  @remcostoeten/dev-menu  /  0.2.0

@remcostoeten/dev-menu@0.2.0

Zero-config dev process launcher and TUI for mono- and single-package repos

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs dev-menu and selects an AI-tool key combination in the TUI.
Impact
A user-selected AI agent may receive broad local tool permissions in the current project context.
Mechanism
Spawns configured local AI CLIs with inherited environment and permissive default arguments.
Rationale
No concrete malicious chain was found, but the package deliberately provides interactive launch paths for high-permission AI agents. This warrants a warning rather than a publication block.
Evidence
package.jsonsrc/config.tssrc/cli.tssrc/bin.tssrc/shell-install.tssrc/init.tsdev-menu.config.ts.gitignore

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • src/config.ts defines Codex with --yolo and Claude with --dangerously-skip-permissions.
  • src/cli.ts launches configured AI tools with inherited environment and supplied error text.
  • src/bin.ts exposes the AI-launching TUI only through normal CLI runtime.
  • src/shell-install.ts writes shell integration only after explicit install-shell invocation.
Evidence against
  • package.json has no preinstall, install, postinstall, or prepare hook; prepublishOnly is publish-time validation.
  • No package-originated HTTP client, remote endpoint, credential exfiltration, eval, or payload download was found.
  • Network checks use only 127.0.0.1 port probes.
  • Shell/profile and config writes are interactive user-invoked setup actions.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemShell
Supply chain
UrlStrings
Manifest
WildcardDependency
scanned 15 file(s), 108 KB of source, external domains: bun.sh

Source & flagged code

3 flagged · loading source
bin/dev-menu.mjsView file
7if (process.versions.bun) { L8: await import(entry) L9: } else {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/dev-menu.mjsView on unpkg · L7
src/shell-install.tsView file
52if (!requested) { L53: process.stderr.write( L54: ` \x1b[31mcould not detect your shell\x1b[0m — pass one explicitly:\n` + ... L89: function detectShell(): Shell | undefined { L90: const shell = process.env.SHELL ?? '' L91: if (shell.includes('fish')) return 'fish' ... L125: function installPosix(shell: Shell, aliases: string[]): void { L126: const rc = resolve(home(), shell === 'zsh' ? '.zshrc' : '.bashrc') L127: const block = `${BLOCK_START}\n${snippetFor(shell, aliases)}\n${BLOCK_END}\n`
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

src/shell-install.tsView on unpkg · L52
src/cli.tsView file
matchType = previous_version_dangerous_delta matchedPackage = @remcostoeten/dev-menu@0.1.1 matchedIdentity = npm:QHJlbWNvc3RvZXRlbi9kZXYtbWVudQ:0.1.1 similarity = 0.400 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/cli.tsView on unpkg

Findings

1 High4 Medium4 Low
HighPrevious Version Dangerous Deltasrc/cli.ts
MediumDynamic Requirebin/dev-menu.mjs
MediumEnvironment Vars
MediumInstall Persistencesrc/shell-install.ts
MediumWildcard Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowUrl Strings