registry  /  codebase-cli  /  2.0.0-pre.79

codebase-cli@2.0.0-pre.79

Codebase CLI — a TypeScript coding agent on the pi-mono runtime. OAuth-aware, any LLM provider, single install.

AI Security Review

scanned 6h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `codebase ssh add`, `codebase ssh test`, or `codebase ssh keygen`; the agent can use enrolled hosts through its SSH capability.
Impact
A user-approved enrolled remote host can be reached by the agent; this is dangerous dual-use functionality, not a confirmed stealth or unconsented attack chain.
Mechanism
Explicit SSH host enrollment, local key generation, and subprocess-based SSH execution.
Rationale
Source inspection disproves the scanner's persistence claim: SSH configuration and keys are created only by explicit user commands, and the remote authorized-keys command is printed rather than executed. The package nevertheless exposes meaningful AI-agent remote-execution capability, so it warrants a warn verdict rather than a clean or malicious classification.
Evidence
package.jsonbin/codebasedist/cli.jsdist/ssh/cli.jsdist/ssh/store.jsdist/auth/cli.jsdist/auth/credentials.js~/.codebase/ssh.json~/.codebase/ssh/<name>~/.codebase/ssh/<name>.pub~/.codebase/credentials.json
Network endpoints4
codebase.design/logincodebase.design/api/oauth/tokencodebase.design/api/oauth/revokecodebase.design/api/v1/credits/balance

Decision evidence

public snapshot
AI called this Suspicious at 93.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/ssh/cli.js` exposes agent-targetable SSH host enrollment and testing.
  • `dist/ssh/cli.js` invokes `ssh` and can generate unencrypted private keys, but only through explicit `codebase ssh` commands.
  • `dist/ssh/store.js` persists enrolled hosts in `~/.codebase/ssh.json`.
Evidence against
  • `package.json` has no preinstall/install/postinstall lifecycle hook.
  • `bin/codebase` only dynamically imports the CLI after explicit invocation.
  • `dist/ssh/cli.js` validates host configuration and does not install keys remotely; it only prints a manual one-liner.
  • `dist/auth/credentials.js` stores package OAuth credentials in `~/.codebase/credentials.json` with mode 0600.
  • `dist/auth/cli.js` limits OAuth defaults to `https://codebase.design` endpoints.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 274 file(s), 1.34 MB of source, external domains: 127.0.0.1, api.anthropic.com, api.search.brave.com, api.tavily.com, codebase.design, generativelanguage.googleapis.com, github.com, mcp.example.com, my-proxy.example.com, tavily.com

Source & flagged code

9 flagged · loading source
bench/run.test.mjsView file
24patternName = github_pat severity = critical line = 24 matchedText = const fa...23";
Critical
Critical Secret

Package contains a critical-looking secret pattern.

bench/run.test.mjsView on unpkg · L24
24patternName = github_pat severity = critical line = 24 matchedText = const fa...23";
Critical
Secret Pattern

GitHub personal access token in bench/run.test.mjs

bench/run.test.mjsView on unpkg · L24
dist/ssh/cli.jsView file
1import { spawnSync } from "node:child_process"; L2: import { chmodSync, existsSync, mkdirSync, readFileSync } from "node:fs"; ... L22: const out = (m) => { L23: process.stdout.write(`${m}\n`); L24: }; ... L201: err(`✗ connection failed (exit ${result.status ?? "?"})`); L202: err(" Check: key on remote (~/.ssh/authorized_keys), hostname / port / user, firewall."); L203: return 1; ... L221: } L222: const dir = join(homedir(), ".codebase", "ssh"); L223: const keyPath = join(dir, name); ... L267: out("");
Critical
Persistence Backdoor

Source writes persistence or remote-access backdoor material.

dist/ssh/cli.jsView on unpkg · L1
1Trigger-reachable chain: manifest.main -> dist/cli.js -> dist/ssh/cli.js L1: import { spawnSync } from "node:child_process"; L2: import { chmodSync, existsSync, mkdirSync, readFileSync } from "node:fs"; ... L22: const out = (m) => { L23: process.stdout.write(`${m}\n`); L24: }; ... L201: err(`✗ connection failed (exit ${result.status ?? "?"})`); L202: err(" Check: key on remote (~/.ssh/authorized_keys), hostname / port / user, firewall."); L203: return 1; ... L221: } L222: const dir = join(homedir(), ".codebase", "ssh"); L223: const keyPath = join(dir, name); ... L267: out("");
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/ssh/cli.jsView on unpkg · L1
bench/scenarios/add-test/verify.shView file
path = bench/scenarios/add-test/verify.sh kind = build_helper sizeBytes = 1309 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

bench/scenarios/add-test/verify.shView on unpkg
bench/aggregate.test.mjsView file
27patternName = github_pat severity = critical line = 27 matchedText = const fa...23";
Critical
Secret Pattern

GitHub personal access token in bench/aggregate.test.mjs

bench/aggregate.test.mjsView on unpkg · L27
bench/scenarios/memory-secret-hygiene/verify.shView file
14patternName = github_pat severity = critical line = 14 matchedText = const fa...23";
Critical
Secret Pattern

GitHub personal access token in bench/scenarios/memory-secret-hygiene/verify.sh

bench/scenarios/memory-secret-hygiene/verify.shView on unpkg · L14
bench/scenarios/memory-secret-hygiene/prompt.txtView file
1patternName = github_pat severity = critical line = 1 matchedText = Use the ...ame.
Critical
Secret Pattern

GitHub personal access token in bench/scenarios/memory-secret-hygiene/prompt.txt

bench/scenarios/memory-secret-hygiene/prompt.txtView on unpkg · L1
bench/_self-test/fake-codebase-cli.mjsView file
328patternName = github_pat severity = critical line = 328 matchedText = const fa...23";
Critical
Secret Pattern

GitHub personal access token in bench/_self-test/fake-codebase-cli.mjs

bench/_self-test/fake-codebase-cli.mjsView on unpkg · L328

Findings

8 Critical4 Medium5 Low
CriticalCritical Secretbench/run.test.mjs
CriticalPersistence Backdoordist/ssh/cli.js
CriticalTrigger Reachable Dangerous Capabilitydist/ssh/cli.js
CriticalSecret Patternbench/run.test.mjs
CriticalSecret Patternbench/aggregate.test.mjs
CriticalSecret Patternbench/scenarios/memory-secret-hygiene/verify.sh
CriticalSecret Patternbench/scenarios/memory-secret-hygiene/prompt.txt
CriticalSecret Patternbench/_self-test/fake-codebase-cli.mjs
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperbench/scenarios/add-test/verify.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings