registry  /  @telecode/cli  /  0.2.0

@telecode/cli@0.2.0

The telecode daemon — runs Claude Code agents on your machine, dialing out to the relay.

AI Security Review

scanned 4h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package is a user-run daemon that connects to a Telecode relay and can optionally install first-party Claude Code hooks. This creates an agent control-surface extension, but it is explicit and package-aligned rather than an unconsented install-time hijack.

Static reason
No blocking static signals were detected.
Trigger
Running `telecode`, or explicitly running `telecode hooks install`.
Impact
Remote Telecode sessions can supervise/drive Claude agent work after user pairing and approvals; optional hooks route local Claude Code events through Telecode.
Mechanism
Outbound relay daemon plus optional Claude Code command hooks.
Rationale
Source inspection shows package-aligned daemon behavior with explicit pairing, outbound relay communication, optional user-command hook setup, and guarded permission handling. Because it mutates an AI-agent control surface only through an explicit first-party command, this is warning-level lifecycle risk rather than malware.
Evidence
package.jsonbin/telecode.mjssrc/main.tssrc/relay-url.tssrc/pairing.tssrc/daemon.tssrc/claude-agent-adapter.tssrc/adopt/hooks-install.tssrc/adopt/hook-bridge.tssrc/adopt/hook-socket.tssrc/credentials.tssrc/sessions/repo-manager.ts~/.telecode/credentials.json~/.telecode/repos~/.telecode/worktrees~/.telecode/sessions~/.telecode/adopt-config.json~/.telecode/run/hook.sock~/.claude/settings.json
Network endpoints2
wss://relay.telecode.io/wstelecode.io

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • src/main.ts exposes explicit `telecode hooks install` that writes Claude Code hooks to `~/.claude/settings.json`.
  • src/adopt/hooks-install.ts registers command hooks for PreToolUse, SessionStart, SessionEnd, Notification, and Stop.
  • src/daemon.ts dials outbound WebSocket relay and relays agent/session events to the service.
  • src/claude-agent-adapter.ts runs Claude Agent SDK sessions that may execute approved tools.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle scripts.
  • Hook installation is an explicit CLI subcommand, not install-time or import-time mutation.
  • src/adopt/hook-bridge.ts and src/adopt/hook-socket.ts fail closed to `{}` rather than auto-allowing tools.
  • src/main.ts redacts tokens/private keys from logs and stores package credentials under `~/.telecode`.
  • src/sessions/repo-manager.ts and worktree-manager use execFile with argument arrays, not shell interpolation.
  • No credential harvesting, destructive behavior, remote payload download, or broad persistence found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStrings
Manifest
CopyleftLicense
scanned 40 file(s), 173 KB of source

Source & flagged code

1 flagged · loading source
bin/telecode.mjsView file
9register(); L10: await import(new URL('../src/main.ts', import.meta.url).href);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/telecode.mjsView on unpkg · L9

Findings

3 Medium4 Low
MediumDynamic Requirebin/telecode.mjs
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowCopyleft License