registry  /  codeam-cli  /  2.52.12

codeam-cli@2.52.12

Workflow-continuity bridge for AI coding agents. Wrap Claude Code or Codex in a PTY and supervise, approve, and redirect the session from any device — async. The terminal companion for CodeAgent Mobile.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 23 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsTelemetryUrlStrings
Manifest
WildcardDependency
scanned 15 file(s), 1.16 MB of source, external domains: 127.0.0.1, api.codeagent-mobile.com, api.github.com, brew.sh, claude.ai, cli.coderabbit.ai, cli.github.com, codeagent-mobile.com, cursor.com, dev-api.codeagent-mobile.com, discord.gg, docs.gitlab.com, docs.railway.app, eu-assets.i.posthog.com, eu.i.posthog.com, github.com, gitlab.com, gitpod.io, posthog.com, raw.githubusercontent.com, registry.npmjs.org, sentry.io, status.anthropic.com, status.cloud.google.com, status.codeagent-mobile.com, status.cursor.com, status.openai.com, us-assets.i.posthog.com, us.i.posthog.com, www.codeagent-mobile.com, www.githubstatus.com, yandex.com

Source & flagged code

13 flagged · loading source
package.jsonView file
scripts.postinstall = node dist/postinstall.js || true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node dist/postinstall.js || true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/index.jsView file
5519// src/lib/git-branch.ts L5520: var import_child_process = require("child_process"); L5521: function detectCurrentBranch(cwd = process.cwd()) {
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L5519
7680if (process.platform === "win32") { L7681: return process.env.COMSPEC ?? "powershell.exe"; L7682: }
High
Shell

Package source references shell execution.

dist/index.jsView on unpkg · L7680
5508process.stderr.write( L5509: "\n codeam-cli sends anonymous + identified usage events to PostHog\n (same project as the mobile + web apps). Opt out at any time:\n export CODEAM_TELEMETRY=0\n See https://... L5510: ); ... L5514: function vercelBypassHeader() { L5515: const token = process.env.CODEAM_VERCEL_BYPASS; L5516: return token ? { "x-vercel-protection-bypass": token } : {}; ... L5519: // src/lib/git-branch.ts L5520: var import_child_process = require("child_process"); L5521: function detectCurrentBranch(cwd = process.cwd()) {
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.jsView on unpkg · L5508
5507} L5508: process.stderr.write( L5509: "\n codeam-cli sends anonymous + identified usage events to PostHog\n (same project as the mobile + web apps). Opt out at any time:\n export CODEAM_TELEMETRY=0\n See https://... L5510: ); ... L5519: // src/lib/git-branch.ts L5520: var import_child_process = require("child_process"); L5521: function detectCurrentBranch(cwd = process.cwd()) {
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.jsView on unpkg · L5507
329// ../../packages/shared/src/api-url.ts L330: var DEFAULT_API_BASE_URL = "https://api.codeagent-mobile.com"; L331: var DEV_API_BASE_URL = "https://dev-api.codeagent-mobile.com"; ... L345: L346: Read package.json, Procfile, Dockerfile, docker-compose.yml, manage.py, app.json, L347: mix.exs, Cargo.toml, go.mod, requirements.txt, Gemfile, and any other framework ... L349: L350: Return ONLY a JSON object on stdout (no prose, no markdown fences): L351: ... L401: function makeConfig(baseDir) { L402: const dir = path.join(baseDir ?? os.homedir(), ".codeam"); L403: const file = path.join(dir, "config.json");
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/index.jsView on unpkg · L329
331var DEV_API_BASE_URL = "https://dev-api.codeagent-mobile.com"; L332: function resolveApiBaseUrl() { L333: const env = globalThis.process?.env; ... L405: try { L406: const raw = JSON.parse(fs.readFileSync(file, "utf-8")); L407: return { ... L5519: // src/lib/git-branch.ts L5520: var import_child_process = require("child_process"); L5521: function detectCurrentBranch(cwd = process.cwd()) {
High
Remote Agent Bridge

Source exposes local file and command tools to a remote model endpoint.

dist/index.jsView on unpkg · L331
6792package = codeam-cli; repositoryIdentity = codeagent-mobile-clients; dependency = chokidar L6792: try { L6793: return require("chokidar"); L6794: } catch {
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

dist/index.jsView on unpkg · L6792
10871fs9.writeFileSync(this.helperPath, PYTHON_PTY_HELPER, { mode: 420 }); L10872: this.proc = (0, import_child_process7.spawn)(python, [this.helperPath, cmd, ...args2], { L10873: stdio: ["pipe", "pipe", "inherit"], ... L10886: \u2717 Failed to launch Claude Code: ${err.message} L10887: Make sure claude is correctly installed: npm install -g @anthropic-ai/claude-code L10888: `
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/index.jsView on unpkg · L10871
8var __hasOwnProp = Object.prototype.hasOwnProperty; L9: var __commonJS = (cb, mod) => function __require() { L10: return mod || (0, cb[__getOwnPropNames(cb)[0]])((mod = { exports: {} }).exports, mod), mod.exports;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.jsView on unpkg · L8
329// ../../packages/shared/src/api-url.ts L330: var DEFAULT_API_BASE_URL = "https://api.codeagent-mobile.com"; L331: var DEV_API_BASE_URL = "https://dev-api.codeagent-mobile.com"; ... L345: L346: Read package.json, Procfile, Dockerfile, docker-compose.yml, manage.py, app.json, L347: mix.exs, Cargo.toml, go.mod, requirements.txt, Gemfile, and any other framework ... L349: L350: Return ONLY a JSON object on stdout (no prose, no markdown fences): L351: ... L401: function makeConfig(baseDir) { L402: const dir = path.join(baseDir ?? os.homedir(), ".codeam"); L403: const file = path.join(dir, "config.json");
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/index.jsView on unpkg · L329
dist/vendor/node-pty/prebuilds/win32-arm64/pty.nodeView file
path = dist/vendor/node-pty/prebuilds/win32-arm64/pty.node kind = native_binary sizeBytes = 293376 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

dist/vendor/node-pty/prebuilds/win32-arm64/pty.nodeView on unpkg

Findings

9 High8 Medium6 Low
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/index.js
HighShelldist/index.js
HighSame File Env Network Executiondist/index.js
HighCommand Output Exfiltrationdist/index.js
HighSandbox Evasion Gated Capabilitydist/index.js
HighRemote Agent Bridgedist/index.js
HighCopied Package Dependency Bridgedist/index.js
HighRuntime Package Installdist/index.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/index.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/index.js
MediumShips Native Binarydist/vendor/node-pty/prebuilds/win32-arm64/pty.node
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings