registry  /  bdo-cli  /  0.44.4

bdo-cli@0.44.4

Bushido (bdo) - High-performance CLI proxy to minimize LLM token consumption. Fork of rtk (Rust Token Killer).

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Install-time code fetches a native executable archive from a package-aligned GitHub release and stores it under the package directory. The package is a staged native binary carrier, but no concrete malicious behavior is visible in the JavaScript wrapper source.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall; bdo CLI invocation runs the installed native binary
Impact
User runs an unaudited downloaded executable; source inspection of the JS wrapper does not confirm malicious behavior
Mechanism
install-time remote native binary download and extraction
Attack narrative
During installation, postinstall loads install.js, resolves the current OS/architecture in binary.js, downloads the matching release archive from GitHub, and extracts it into node_modules/.bin_real. The bdo bin wrapper later spawns that native binary with user arguments. The reviewed JS wrapper does not modify external AI-agent configuration or exfiltrate data, but the package ships functionality through an install-time downloaded native payload not inspectable in the extracted package.
Rationale
The package has a real install-time remote binary delivery surface without local integrity verification, so clean would understate the unresolved native payload risk. However, the inspected source shows package-aligned installation only and no concrete malicious lifecycle behavior or unconsented foreign AI-agent control-surface mutation.
Evidence
package.jsoninstall.jsbinary.jsbinary-install.jsrun-bdo.jsnode_modules/.bin_real
Network endpoints1
github.com/tedorigawa001/TokenReductionTool/releases/download/v0.44.4

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json postinstall runs install.js at npm install time
  • install.js calls binary.install(false), which downloads a platform archive from GitHub releases
  • binary-install.js extracts downloaded tar/zip into node_modules/.bin_real using tar/unzip/powershell with no package-local hash check
  • run-bdo.js invokes the installed native bdo binary via spawnSync
Evidence against
  • Lifecycle code installs only package-owned binaries under node_modules/.bin_real
  • No install-time writes to Claude/Codex/Cursor/MCP or other foreign AI-agent control surfaces found in JS source
  • Proxy env vars are used only for HTTP(S) proxy support, not credential harvesting
  • No source evidence of credential exfiltration, persistence, destructive actions, eval, or arbitrary remote JS execution
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 13.4 KB of source, external domains: example.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node ./install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings