registry  /  bizcoder  /  0.3.70

bizcoder@0.3.70

BizCoder — 기업용 AI 코딩 에이전트 (terminal CLI). 웹과 같은 회사 계정·정책·청구로 묶입니다.

AI Security Review

scanned 17h ago · by lpm-firewall-ai

No confirmed malicious attack surface is established in this package source. The only executable code is a user-invoked CLI wrapper that delegates to a package-named platform optional dependency.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs the bizcoder CLI binary.
Impact
Executes package-aligned optional dependency binary with user-provided CLI arguments; no source-level exfiltration or install-time mutation observed.
Mechanism
platform binary launcher via spawnSync
Rationale
Static source inspection shows a conventional optional-dependency binary launcher with no lifecycle hooks, network behavior, credential access, persistence, or AI-agent control-surface mutation. The copied OpenCode README is suspicious packaging hygiene but does not create a concrete malicious behavior in the inspected source.
Evidence
package.jsonbin/bizcoder.mjsREADME.mdbizcoder-<platform>-<arch>/bin/bizcoder

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • bin/bizcoder.mjs uses child_process.spawnSync to execute a platform optional dependency binary when the bizcoder CLI is invoked.
  • README.md appears copied from OpenCode and contains unrelated opencode.ai installation commands, indicating packaging/branding inconsistency.
Evidence against
  • package.json has no preinstall/install/postinstall or other lifecycle scripts.
  • bin/bizcoder.mjs only resolves bizcoder-${platform}-${arch}/bin/bizcoder and passes through CLI args/stdio; no import-time execution beyond launcher logic.
  • No credential/env harvesting, filesystem mutation, eval/vm/Function, obfuscation, or network code found in package source.
  • The install command in bin/bizcoder.mjs is only an error message, not executed by the package.
  • Package contents are limited to package.json, README.md, and the CLI launcher.
Behavioral surface
Source
ChildProcessShell
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 866 B of source, external domains: bizcoder.ai

Source & flagged code

2 flagged · loading source
bin/bizcoder.mjsView file
3// optional dependency) and execs it with full stdio passthrough. L4: import { spawnSync } from "node:child_process" L5: import { createRequire } from "node:module"
High
Child Process

Package source references child process execution.

bin/bizcoder.mjsView on unpkg · L3
3// optional dependency) and execs it with full stdio passthrough. L4: import { spawnSync } from "node:child_process" L5: import { createRequire } from "node:module" ... L14: console.error(`BizCoder: 이 플랫폼(${os.platform()}-${os.arch()})용 실행 파일을 찾지 못했어요.`) L15: console.error(`해결: npm install -g bizcoder --force · 안내: https://bizcoder.ai/cli/`) L16: process.exit(1)
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/bizcoder.mjsView on unpkg · L3

Findings

3 High1 Low
HighChild Processbin/bizcoder.mjs
HighShell
HighRuntime Package Installbin/bizcoder.mjs
LowUrl Strings