registry  /  codebase-cli  /  2.0.0-pre.78

codebase-cli@2.0.0-pre.78

Codebase CLI — a TypeScript coding agent on the pi-mono runtime. OAuth-aware, any LLM provider, single install.

AI Security Review

scanned 1d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The package is an AI coding-agent CLI with user-invoked shell, SSH, OAuth, and cache/config behaviors aligned with its stated functionality.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs codebase CLI subcommands or agent tools
Impact
Potentially powerful local/remote execution only after explicit CLI use and configured permissions; no unconsented install-time mutation or exfiltration observed.
Mechanism
User-authorized coding agent capabilities with OAuth and optional SSH enrollment
Rationale
Static inspection shows a feature-rich coding-agent CLI with expected network, credential, shell, and SSH capabilities, but they are user-invoked/package-aligned and not triggered by npm install. The scanner's persistence/backdoor and secret findings map to explicit SSH enrollment/keygen features and benchmark redaction fixtures, not concrete malicious behavior.
Evidence
package.jsonbin/codebasedist/cli.jsdist/ssh/cli.jsdist/ssh/store.jsdist/ssh/config.jsdist/tools/ssh-exec.jsdist/tools/shell.jsdist/auth/cli.jsdist/auth/credentials.jsdist/auth/token-exchange.jsdist/skills/platform-loader.js
Network endpoints9
codebase.design/logincodebase.design/api/oauth/tokencodebase.design/api/oauth/revokecodebase.design/api/cli/assetscodebase.design/api/inferenceapi.anthropic.com/v1/models?limit=100generativelanguage.googleapis.com/v1beta/models?pageSize=200api.tavily.com/searchapi.search.brave.com/res/v1/web/search

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/ssh/cli.js provides user-invoked ssh add/test/keygen commands and spawns ssh/ssh-keygen
  • dist/tools/shell.js and dist/tools/ssh-exec.js expose agent shell/SSH execution tools gated by validators
  • dist/auth/credentials.js stores access/refresh tokens under ~/.codebase/credentials.json
Evidence against
  • package.json has no install/preinstall/postinstall hook; prepack/prepublishOnly are build/check scripts
  • bin/codebase only imports dist/cli.js; dangerous actions are CLI subcommands or agent tools, not install-time behavior
  • dist/ssh/cli.js keygen writes only ~/.codebase/ssh/<name> keys and prints an authorized_keys one-liner for the user
  • dist/tools/ssh-exec.js only targets enrolled hosts from ~/.codebase/ssh.json or project .codebase/ssh.json
  • dist/auth/cli.js and dist/auth/token-exchange.js use package-aligned OAuth endpoints on codebase.design
  • bench/run.test.mjs fake GitHub token is a redaction test fixture, not a live secret
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 274 file(s), 1.34 MB of source, external domains: 127.0.0.1, api.anthropic.com, api.search.brave.com, api.tavily.com, codebase.design, generativelanguage.googleapis.com, github.com, mcp.example.com, my-proxy.example.com, tavily.com

Source & flagged code

9 flagged · loading source
bench/run.test.mjsView file
24patternName = github_pat severity = critical line = 24 matchedText = const fa...23";
Critical
Critical Secret

Package contains a critical-looking secret pattern.

bench/run.test.mjsView on unpkg · L24
24patternName = github_pat severity = critical line = 24 matchedText = const fa...23";
Critical
Secret Pattern

GitHub personal access token in bench/run.test.mjs

bench/run.test.mjsView on unpkg · L24
dist/ssh/cli.jsView file
1import { spawnSync } from "node:child_process"; L2: import { chmodSync, existsSync, mkdirSync, readFileSync } from "node:fs"; ... L22: const out = (m) => { L23: process.stdout.write(`${m}\n`); L24: }; ... L201: err(`✗ connection failed (exit ${result.status ?? "?"})`); L202: err(" Check: key on remote (~/.ssh/authorized_keys), hostname / port / user, firewall."); L203: return 1; ... L221: } L222: const dir = join(homedir(), ".codebase", "ssh"); L223: const keyPath = join(dir, name); ... L267: out("");
Critical
Persistence Backdoor

Source writes persistence or remote-access backdoor material.

dist/ssh/cli.jsView on unpkg · L1
1Trigger-reachable chain: manifest.main -> dist/cli.js -> dist/ssh/cli.js L1: import { spawnSync } from "node:child_process"; L2: import { chmodSync, existsSync, mkdirSync, readFileSync } from "node:fs"; ... L22: const out = (m) => { L23: process.stdout.write(`${m}\n`); L24: }; ... L201: err(`✗ connection failed (exit ${result.status ?? "?"})`); L202: err(" Check: key on remote (~/.ssh/authorized_keys), hostname / port / user, firewall."); L203: return 1; ... L221: } L222: const dir = join(homedir(), ".codebase", "ssh"); L223: const keyPath = join(dir, name); ... L267: out("");
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/ssh/cli.jsView on unpkg · L1
bench/scenarios/add-test/verify.shView file
path = bench/scenarios/add-test/verify.sh kind = build_helper sizeBytes = 1309 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

bench/scenarios/add-test/verify.shView on unpkg
bench/aggregate.test.mjsView file
27patternName = github_pat severity = critical line = 27 matchedText = const fa...23";
Critical
Secret Pattern

GitHub personal access token in bench/aggregate.test.mjs

bench/aggregate.test.mjsView on unpkg · L27
bench/scenarios/memory-secret-hygiene/verify.shView file
14patternName = github_pat severity = critical line = 14 matchedText = const fa...23";
Critical
Secret Pattern

GitHub personal access token in bench/scenarios/memory-secret-hygiene/verify.sh

bench/scenarios/memory-secret-hygiene/verify.shView on unpkg · L14
bench/scenarios/memory-secret-hygiene/prompt.txtView file
1patternName = github_pat severity = critical line = 1 matchedText = Use the ...ame.
Critical
Secret Pattern

GitHub personal access token in bench/scenarios/memory-secret-hygiene/prompt.txt

bench/scenarios/memory-secret-hygiene/prompt.txtView on unpkg · L1
bench/_self-test/fake-codebase-cli.mjsView file
328patternName = github_pat severity = critical line = 328 matchedText = const fa...23";
Critical
Secret Pattern

GitHub personal access token in bench/_self-test/fake-codebase-cli.mjs

bench/_self-test/fake-codebase-cli.mjsView on unpkg · L328

Findings

8 Critical4 Medium5 Low
CriticalCritical Secretbench/run.test.mjs
CriticalPersistence Backdoordist/ssh/cli.js
CriticalTrigger Reachable Dangerous Capabilitydist/ssh/cli.js
CriticalSecret Patternbench/run.test.mjs
CriticalSecret Patternbench/aggregate.test.mjs
CriticalSecret Patternbench/scenarios/memory-secret-hygiene/verify.sh
CriticalSecret Patternbench/scenarios/memory-secret-hygiene/prompt.txt
CriticalSecret Patternbench/_self-test/fake-codebase-cli.mjs
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperbench/scenarios/add-test/verify.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings