registry  /  @telecode/cli  /  0.4.0

@telecode/cli@0.4.0

The telecode daemon — runs Claude Code agents on your machine, dialing out to the relay.

AI Security Review

scanned 4h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package is a remote Claude Code daemon that can install first-party hooks into Claude Code settings at runtime and connect to telecode's relay. This is risky agent-extension behavior but not npm install-time hijacking or covert malware by source inspection.

Static reason
No blocking static signals were detected.
Trigger
User runs the telecode CLI after package installation or starts the telecode service.
Impact
Remote web-controlled sessions can launch Claude Code agent work gated by telecode policy; local Claude Code sessions may be adopted through installed hooks.
Mechanism
Runtime daemon, relay WebSocket, Claude Code hook installation, local agent/worktree management
Rationale
Source inspection shows real agent-extension lifecycle risk from default runtime Claude hook installation and relay-controlled daemon behavior, but no npm lifecycle execution, credential harvesting beyond package-owned pairing credentials, stealth persistence, destructive behavior, or remote payload loader. Per policy this fits warn/suspicious rather than publish block.
Evidence
package.jsonbin/telecode.mjssrc/main.tssrc/daemon.tssrc/adopt/hooks-install.tssrc/adopt/claude-settings.tssrc/relay-url.tssrc/pairing.tssrc/claude-agent-adapter.ts~/.claude/settings.json~/.telecode/credentials.json~/.telecode/adopt-config.json~/.telecode/repos~/.telecode/worktrees~/Library/LaunchAgents/ai.telecode.daemon.plist~/.config/systemd/user/telecode.service
Network endpoints3
wss://relay.telecode.io/wsrelay.telecode.io/device/coderelay.telecode.io/device/token

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • src/main.ts enables adoption by default unless TELECODE_ADOPT=0 and passes ~/.claude/settings.json to daemon startup.
  • src/daemon.ts start() calls applyHookInstallState(), which auto-installs Claude Code hooks when adoptConfig.enabled is true.
  • src/adopt/hooks-install.ts writes command hooks for PreToolUse, SessionStart, SessionEnd, Notification, and Stop.
  • src/adopt/transcript-mirror.ts reads hook-provided Claude transcript paths for adopted sessions.
  • src/daemon.ts connects to a relay WebSocket and sends paired device token in hello payload.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle scripts.
  • bin/telecode.mjs only registers tsx and imports src/main.ts when the telecode CLI is executed.
  • Hook installation is first-party telecode integration, idempotent, and uninstall/status commands are provided.
  • Claude agent execution gates consequential tools through permission policy instead of honoring bypassPermissions.
  • Network use is package-aligned: pairing and daemon relay for a remote Claude-agent service.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStrings
Manifest
CopyleftLicense
scanned 55 file(s), 221 KB of source

Source & flagged code

1 flagged · loading source
bin/telecode.mjsView file
9register(); L10: await import(new URL('../src/main.ts', import.meta.url).href);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/telecode.mjsView on unpkg · L9

Findings

3 Medium4 Low
MediumDynamic Requirebin/telecode.mjs
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowCopyleft License