registry  /  code-ollama  /  0.38.0

code-ollama@0.38.0

Ollama coding agent that runs in your terminal

AI Security Review

scanned 23h ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is a terminal coding agent with powerful user-invoked file, shell, web, and MCP capabilities that are aligned with its stated purpose.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Explicit user execution of code-ollama/collama CLI or code-ollama run.
Impact
User-approved model/tool actions may read or modify project files, run shell commands, call configured MCP servers, and make web requests.
Mechanism
local Ollama coding agent tool dispatcher with trust prompt and optional MCP/web tools
Rationale
Static source inspection shows dangerous primitives, but they are the advertised, explicit runtime behavior of a coding-agent CLI, not install-time or hidden malicious behavior. No unconsented AI-agent control-surface mutation, exfiltration, remote payload execution, or stealth persistence was found.
Evidence
package.jsonREADME.mddist/cli.jsdist/assets/prompt-Uc9r_t0d.jsdist/assets/DirectoryTrustPrompt-Dr9PVykI.jsdist/assets/tui-B7rdzcBc.js~/.code-ollama/config.json~/.code-ollama/sessions~/.code-ollama/skills.code-ollama/skillsuser-specified project paths
Network endpoints5
localhost:11434r.jina.ai/html.duckduckgo.com/html/duckduckgo.comregistry.npmjs.org/code-ollama/latest

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/cli.js exposes user-invoked agent tools for file read/write/delete and shell execution via Ollama tool calls.
  • dist/cli.js can pass inherited process.env to user-configured MCP stdio servers via ~/.code-ollama/config.json.
  • dist/cli.js includes web_fetch/web_search tools and update checks to external endpoints.
Evidence against
  • package.json has no install/preinstall/postinstall scripts; prepare is husky and prepublishOnly is build/lint/test.
  • CLI actions require explicit invocation through code-ollama/collama bins, and workspace access is gated by a directory trust prompt unless --trust is used.
  • Default model endpoint is local Ollama at http://localhost:11434; OLLAMA_HOST override is expected package configuration.
  • MCP servers are loaded only from user config and permissions enforce allowed modes/deny/autoApprove.
  • No credential harvesting, obfuscated payload, install-time mutation, persistence, or exfiltration flow found in inspected files.
  • README documents the coding agent, skills, MCP, and trust behavior matching the source.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 208 KB of source, external domains: duckduckgo.com, github.com, html.duckduckgo.com, ollama.com, r.jina.ai, registry.npmjs.org

Source & flagged code

5 flagged · loading source
dist/cli.jsView file
5import { join, relative, resolve } from "node:path"; L6: import { exec, execFile, execFileSync, spawnSync } from "node:child_process"; L7: import { randomUUID } from "node:crypto";
High
Child Process

Package source references child process execution.

dist/cli.jsView on unpkg · L5
628function readWindowsClipboardImage(path) { L629: execFileSync("powershell", [ L630: "-NoProfile",
High
Shell

Package source references shell execution.

dist/cli.jsView on unpkg · L628
5import { join, relative, resolve } from "node:path"; L6: import { exec, execFile, execFileSync, spawnSync } from "node:child_process"; L7: import { randomUUID } from "node:crypto"; ... L181: Follow these rules: L182: 1. Use available tools rather than guessing file contents, paths, or code behavior L183: 2. When a tool is needed, call it immediately instead of saying you will call it ... L456: try { L457: return JSON.parse(readFileSync(CONFIG_PATH, "utf8")); L458: } catch { ... L467: mcpServers: file.mcpServers, L468: searxngBaseUrl: file.searxngBaseUrl, L469: theme: file.theme ?? "github-dark",
High
Remote Agent Bridge

Source exposes local file and command tools to a remote model endpoint.

dist/cli.jsView on unpkg · L5
5Cross-file remote execution chain: dist/cli.js spawns dist/assets/tui-B7rdzcBc.js; helper contains network access plus dynamic code execution. L5: import { join, relative, resolve } from "node:path"; L6: import { exec, execFile, execFileSync, spawnSync } from "node:child_process"; L7: import { randomUUID } from "node:crypto"; ... L66: //#endregion L67: //#region package.json L68: var name = "code-ollama"; ... L75: //#region src/constants/config.ts L76: var DIRECTORY = join(homedir(), `.${NAME}`); L77: //#endregion ... L99: /** L100: * @see https://ollama.com/library L101: */
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/cli.jsView on unpkg · L5
dist/assets/tui-B7rdzcBc.jsView file
matchType = previous_version_dangerous_delta matchedPackage = code-ollama@0.37.1 matchedIdentity = npm:Y29kZS1vbGxhbWE:0.37.1 similarity = 0.750 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/assets/tui-B7rdzcBc.jsView on unpkg

Findings

1 Critical4 High3 Medium4 Low
CriticalPrevious Version Dangerous Deltadist/assets/tui-B7rdzcBc.js
HighChild Processdist/cli.js
HighShelldist/cli.js
HighRemote Agent Bridgedist/cli.js
HighCross File Remote Execution Contextdist/cli.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowUrl Strings