AI Security Review
scanned 23h ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The package is a terminal coding agent with powerful user-invoked file, shell, web, and MCP capabilities that are aligned with its stated purpose.
Decision evidence
public snapshot- dist/cli.js exposes user-invoked agent tools for file read/write/delete and shell execution via Ollama tool calls.
- dist/cli.js can pass inherited process.env to user-configured MCP stdio servers via ~/.code-ollama/config.json.
- dist/cli.js includes web_fetch/web_search tools and update checks to external endpoints.
- package.json has no install/preinstall/postinstall scripts; prepare is husky and prepublishOnly is build/lint/test.
- CLI actions require explicit invocation through code-ollama/collama bins, and workspace access is gated by a directory trust prompt unless --trust is used.
- Default model endpoint is local Ollama at http://localhost:11434; OLLAMA_HOST override is expected package configuration.
- MCP servers are loaded only from user config and permissions enforce allowed modes/deny/autoApprove.
- No credential harvesting, obfuscated payload, install-time mutation, persistence, or exfiltration flow found in inspected files.
- README documents the coding agent, skills, MCP, and trust behavior matching the source.
Source & flagged code
5 flagged · loading sourceSource exposes local file and command tools to a remote model endpoint.
dist/cli.jsView on unpkg · L5Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
dist/cli.jsView on unpkg · L5This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/assets/tui-B7rdzcBc.jsView on unpkg