AI Security Review
scanned 4h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. The package is a remote Claude Code daemon that can install first-party hooks into Claude Code settings at runtime and connect to telecode's relay. This is risky agent-extension behavior but not npm install-time hijacking or covert malware by source inspection.
Static reason
No blocking static signals were detected.
Trigger
User runs the telecode CLI after package installation or starts the telecode service.
Impact
Remote web-controlled sessions can launch Claude Code agent work gated by telecode policy; local Claude Code sessions may be adopted through installed hooks.
Mechanism
Runtime daemon, relay WebSocket, Claude Code hook installation, local agent/worktree management
Rationale
Source inspection shows real agent-extension lifecycle risk from default runtime Claude hook installation and relay-controlled daemon behavior, but no npm lifecycle execution, credential harvesting beyond package-owned pairing credentials, stealth persistence, destructive behavior, or remote payload loader. Per policy this fits warn/suspicious rather than publish block.
Evidence
package.jsonbin/telecode.mjssrc/main.tssrc/daemon.tssrc/adopt/hooks-install.tssrc/adopt/claude-settings.tssrc/relay-url.tssrc/pairing.tssrc/claude-agent-adapter.ts~/.claude/settings.json~/.telecode/credentials.json~/.telecode/adopt-config.json~/.telecode/repos~/.telecode/worktrees~/Library/LaunchAgents/ai.telecode.daemon.plist~/.config/systemd/user/telecode.service
Network endpoints3
wss://relay.telecode.io/wsrelay.telecode.io/device/coderelay.telecode.io/device/token
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- src/main.ts enables adoption by default unless TELECODE_ADOPT=0 and passes ~/.claude/settings.json to daemon startup.
- src/daemon.ts start() calls applyHookInstallState(), which auto-installs Claude Code hooks when adoptConfig.enabled is true.
- src/adopt/hooks-install.ts writes command hooks for PreToolUse, SessionStart, SessionEnd, Notification, and Stop.
- src/adopt/transcript-mirror.ts reads hook-provided Claude transcript paths for adopted sessions.
- src/daemon.ts connects to a relay WebSocket and sends paired device token in hello payload.
Evidence against
- package.json has no preinstall/install/postinstall lifecycle scripts.
- bin/telecode.mjs only registers tsx and imports src/main.ts when the telecode CLI is executed.
- Hook installation is first-party telecode integration, idempotent, and uninstall/status commands are provided.
- Claude agent execution gates consequential tools through permission policy instead of honoring bypassPermissions.
- Network use is package-aligned: pairing and daemon relay for a remote Claude-agent service.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
HighEntropyStrings
CopyleftLicense
Source & flagged code
1 flagged · loading sourcebin/telecode.mjsView file
9register();
L10: await import(new URL('../src/main.ts', import.meta.url).href);
Medium
Dynamic Require
Package source references dynamic require/import behavior.
bin/telecode.mjsView on unpkg · L9Findings
3 Medium4 Low
MediumDynamic Requirebin/telecode.mjs
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowCopyleft License