AI Security Review
scanned 18h ago · by lpm-firewall-aiNo confirmed malicious attack surface is established in this package source. The package is a thin CLI launcher that runs a platform-specific optional dependency only when the user invokes bizcoder.
Static reason
One or more suspicious static signals were detected.
Trigger
Explicit bizcoder CLI invocation.
Impact
Delegates argv and stdio to bizcoder-${platform}-${arch}/bin/bizcoder; no install-time behavior in this package.
Mechanism
Platform optional-dependency binary launcher via spawnSync.
Rationale
The scanner findings map to a normal CLI launcher pattern and there are no lifecycle hooks or source-level exfiltration, persistence, destructive behavior, or AI-agent control-surface writes. The README/package branding mismatch and uninspected optional binary dependency are packaging risk signals, but not concrete malicious behavior in this source package.
Evidence
package.jsonbin/bizcoder.mjsREADME.md
Decision evidence
public snapshotAI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
- README.md is copied from OpenCode while package metadata is BizCoder, indicating packaging inconsistency.
- bin/bizcoder.mjs delegates execution to an optional platform package binary not present in this source tarball.
Evidence against
- package.json has no preinstall/install/postinstall or other lifecycle scripts.
- package.json exposes only the bizcoder CLI bin and optional platform dependencies.
- bin/bizcoder.mjs only resolves bizcoder-${platform}-${arch}/bin/bizcoder and spawnSyncs it on explicit CLI invocation.
- No source code reads credentials, environment secrets, SSH files, agent configs, or project files.
- No source code performs network calls, dynamic eval/vm/Function, persistence, destructive actions, or install-time mutation.
Behavioral surface
ChildProcessShell
UrlStrings
Source & flagged code
2 flagged · loading sourcebin/bizcoder.mjsView file
3// optional dependency) and execs it with full stdio passthrough.
L4: import { spawnSync } from "node:child_process"
L5: import { createRequire } from "node:module"
High
3// optional dependency) and execs it with full stdio passthrough.
L4: import { spawnSync } from "node:child_process"
L5: import { createRequire } from "node:module"
...
L14: console.error(`BizCoder: 이 플랫폼(${os.platform()}-${os.arch()})용 실행 파일을 찾지 못했어요.`)
L15: console.error(`해결: npm install -g bizcoder --force · 안내: https://bizcoder.ai/cli/`)
L16: process.exit(1)
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
bin/bizcoder.mjsView on unpkg · L3Findings
3 High1 Low
HighChild Processbin/bizcoder.mjs
HighShell
HighRuntime Package Installbin/bizcoder.mjs
LowUrl Strings