AI Security Review
scanned 1h ago · by lpm-firewall-aiNo confirmed malicious attack surface in the inspected wrapper package. Runtime behavior is limited to user-invoked CLI delegation to a platform optional dependency binary.
Static reason
One or more suspicious static signals were detected.
Trigger
user runs the bizcoder CLI
Impact
executes the selected optional dependency binary with the user's CLI arguments
Mechanism
platform binary delegation via require.resolve and spawnSync
Rationale
The scanner findings map to a normal npm CLI launcher pattern and there is no install-time execution, exfiltration, persistence, destructive behavior, or AI-agent control-surface mutation in the inspected source. The optional dependency binary is outside this extracted package, so this package should not be blocked on the wrapper alone.
Evidence
package.jsonbin/bizcoder.mjsREADME.mdbizcoder-${platform}-${arch}/bin/bizcoder
Decision evidence
public snapshotAI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for warning
- bin/bizcoder.mjs uses child_process.spawnSync to execute a platform-specific optional dependency binary.
- README.md appears copied from OpenCode and includes curl/npm install examples, but README content is not executed by this package.
Evidence against
- package.json defines no preinstall/install/postinstall or other lifecycle scripts.
- package.json exposes only the bizcoder bin and optionalDependencies for platform packages at the same version.
- bin/bizcoder.mjs only require.resolve's bizcoder-${platform}-${arch}/bin/bizcoder and forwards user CLI arguments/stdio.
- No source reads env secrets, scans files, writes config, mutates AI-agent control surfaces, or performs network requests.
Behavioral surface
ChildProcessShell
UrlStrings
Source & flagged code
2 flagged · loading sourcebin/bizcoder.mjsView file
3// optional dependency) and execs it with full stdio passthrough.
L4: import { spawnSync } from "node:child_process"
L5: import { createRequire } from "node:module"
High
3// optional dependency) and execs it with full stdio passthrough.
L4: import { spawnSync } from "node:child_process"
L5: import { createRequire } from "node:module"
...
L14: console.error(`BizCoder: 이 플랫폼(${os.platform()}-${os.arch()})용 실행 파일을 찾지 못했어요.`)
L15: console.error(`해결: npm install -g bizcoder --force · 안내: https://bizcoder.ai/cli/`)
L16: process.exit(1)
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
bin/bizcoder.mjsView on unpkg · L3Findings
3 High1 Low
HighChild Processbin/bizcoder.mjs
HighShell
HighRuntime Package Installbin/bizcoder.mjs
LowUrl Strings