registry  /  codebase-cli  /  2.0.0-pre.80

codebase-cli@2.0.0-pre.80

Codebase CLI — a TypeScript coding agent on the pi-mono runtime. OAuth-aware, any LLM provider, single install.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `codebase`, enrolls a host with `codebase ssh add`, or authorizes agent tool use.
Impact
A user-approved agent session can alter local projects or enrolled remote hosts; this is an advertised high-risk capability, not covert package behavior.
Mechanism
Agent-controlled local shell and enrolled-host SSH command execution.
Rationale
The package has genuine high-impact coding-agent capabilities, including remote command execution, but source inspection shows them as explicit user-facing features rather than malicious installation or stealth behavior. Treat as a warning-worthy dangerous capability, not a publish-blocking malware package.
Evidence
package.jsonbin/codebasedist/cli.jsdist/ssh/cli.jsdist/ssh/store.jsdist/tools/ssh-exec.jsdist/auth/credentials.jsdist/auth/token-exchange.js
Network endpoints6
codebase.designcodebase.design/api/inferenceapi.anthropic.com/v1/modelsgenerativelanguage.googleapis.com/v1beta/modelsapi.tavily.comapi.search.brave.com/res/v1/web/search

Decision evidence

public snapshot
AI called this Suspicious at 89.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/tools/ssh-exec.js` runs remote shell commands via SSH.
  • `dist/ssh/cli.js` generates user SSH keys without a passphrase.
  • `dist/tools/shell.js` exposes local shell execution to the coding agent.
Evidence against
  • `package.json` declares no `preinstall`, `install`, or `postinstall` hook.
  • `bin/codebase` only imports `dist/cli.js` after explicit CLI invocation.
  • `dist/ssh/cli.js` requires explicit `ssh add` enrollment and persists only under `~/.codebase`.
  • `dist/tools/ssh-exec.js` restricts destinations to enrolled host names and validates destructive commands.
  • `dist/auth/credentials.js` stores OAuth credentials in `~/.codebase/credentials.json` with mode `0600`.
  • No source read showed exfiltration, hidden payload loading, or foreign AI-agent configuration mutation.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 274 file(s), 1.34 MB of source, external domains: 127.0.0.1, api.anthropic.com, api.search.brave.com, api.tavily.com, codebase.design, generativelanguage.googleapis.com, github.com, mcp.example.com, my-proxy.example.com, tavily.com

Source & flagged code

9 flagged · loading source
bench/run.test.mjsView file
24patternName = github_pat severity = critical line = 24 matchedText = const fa...23";
Critical
Critical Secret

Package contains a critical-looking secret pattern.

bench/run.test.mjsView on unpkg · L24
24patternName = github_pat severity = critical line = 24 matchedText = const fa...23";
Critical
Secret Pattern

GitHub personal access token in bench/run.test.mjs

bench/run.test.mjsView on unpkg · L24
dist/ssh/cli.jsView file
1import { spawnSync } from "node:child_process"; L2: import { chmodSync, existsSync, mkdirSync, readFileSync } from "node:fs"; ... L22: const out = (m) => { L23: process.stdout.write(`${m}\n`); L24: }; ... L201: err(`✗ connection failed (exit ${result.status ?? "?"})`); L202: err(" Check: key on remote (~/.ssh/authorized_keys), hostname / port / user, firewall."); L203: return 1; ... L221: } L222: const dir = join(homedir(), ".codebase", "ssh"); L223: const keyPath = join(dir, name); ... L267: out("");
Critical
Persistence Backdoor

Source writes persistence or remote-access backdoor material.

dist/ssh/cli.jsView on unpkg · L1
1Trigger-reachable chain: manifest.main -> dist/cli.js -> dist/ssh/cli.js L1: import { spawnSync } from "node:child_process"; L2: import { chmodSync, existsSync, mkdirSync, readFileSync } from "node:fs"; ... L22: const out = (m) => { L23: process.stdout.write(`${m}\n`); L24: }; ... L201: err(`✗ connection failed (exit ${result.status ?? "?"})`); L202: err(" Check: key on remote (~/.ssh/authorized_keys), hostname / port / user, firewall."); L203: return 1; ... L221: } L222: const dir = join(homedir(), ".codebase", "ssh"); L223: const keyPath = join(dir, name); ... L267: out("");
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/ssh/cli.jsView on unpkg · L1
bench/scenarios/add-test/verify.shView file
path = bench/scenarios/add-test/verify.sh kind = build_helper sizeBytes = 1309 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

bench/scenarios/add-test/verify.shView on unpkg
bench/aggregate.test.mjsView file
27patternName = github_pat severity = critical line = 27 matchedText = const fa...23";
Critical
Secret Pattern

GitHub personal access token in bench/aggregate.test.mjs

bench/aggregate.test.mjsView on unpkg · L27
bench/scenarios/memory-secret-hygiene/verify.shView file
14patternName = github_pat severity = critical line = 14 matchedText = const fa...23";
Critical
Secret Pattern

GitHub personal access token in bench/scenarios/memory-secret-hygiene/verify.sh

bench/scenarios/memory-secret-hygiene/verify.shView on unpkg · L14
bench/scenarios/memory-secret-hygiene/prompt.txtView file
1patternName = github_pat severity = critical line = 1 matchedText = Use the ...ame.
Critical
Secret Pattern

GitHub personal access token in bench/scenarios/memory-secret-hygiene/prompt.txt

bench/scenarios/memory-secret-hygiene/prompt.txtView on unpkg · L1
bench/_self-test/fake-codebase-cli.mjsView file
328patternName = github_pat severity = critical line = 328 matchedText = const fa...23";
Critical
Secret Pattern

GitHub personal access token in bench/_self-test/fake-codebase-cli.mjs

bench/_self-test/fake-codebase-cli.mjsView on unpkg · L328

Findings

8 Critical4 Medium5 Low
CriticalCritical Secretbench/run.test.mjs
CriticalPersistence Backdoordist/ssh/cli.js
CriticalTrigger Reachable Dangerous Capabilitydist/ssh/cli.js
CriticalSecret Patternbench/run.test.mjs
CriticalSecret Patternbench/aggregate.test.mjs
CriticalSecret Patternbench/scenarios/memory-secret-hygiene/verify.sh
CriticalSecret Patternbench/scenarios/memory-secret-hygiene/prompt.txt
CriticalSecret Patternbench/_self-test/fake-codebase-cli.mjs
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperbench/scenarios/add-test/verify.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings