registry  /  codemini-cli  /  0.8.3

codemini-cli@0.8.3

An extremely restrained coding + tasks CLI. Every platform. Every terminal. Minimal by design.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious install-time or import-time behavior. The package is a user-invoked coding agent that can run workspace commands and contact a user-configured model gateway.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs codemini chat, run, skill, or web commands.
Impact
No unconsented persistence, credential exfiltration, remote payload execution, or foreign AI-agent configuration mutation was confirmed.
Mechanism
Explicit CLI agent tooling with configured gateway requests and workspace command execution.
Rationale
Static source inspection finds a package-aligned, explicitly invoked coding assistant rather than a concrete malicious chain. Scanner findings are explained by normal bundled web assets and expected agent functionality.
Evidence
package.jsonbin/coder.jssrc/cli.jssrc/core/config-store.jssrc/core/tools.jssrc/core/command-policy.jssrc/commands/skill.jscodemini-web/server.jscodemini-web/dist/assets/MarkdownEditor-kQWDzhOR.js

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with medium false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall lifecycle hook.
    • bin/coder.js only dispatches explicit CLI arguments to src/cli.js.
    • Configured model traffic defaults to local http://127.0.0.1:8000/v1.
    • No bidi control characters found in inspected MarkdownEditor bundle.
    Behavioral surface
    Source
    ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShell
    Supply chain
    HighEntropyStringsMinifiedObfuscatedUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 735 file(s), 22.4 MB of source, external domains: 127.0.0.1, api.exa.ai, api.github.com, api.tavily.com, cdn.jsdelivr.net, cn.bing.com, codemini.local, example.com, github.com, html.spec.whatwg.org, img.youtube.com, radix-ui.com, react.dev, unpkg.com, www.google.com, www.markdownguide.org, www.reddit.com, www.w3.org, www.youtube.com

    Source & flagged code

    5 flagged · loading source
    codemini-web/dist/assets/vue-vine-Di7Vc_-0.jsView file
    1import{t as e}from"./javascript-uC_ymh2K.js";import{t}from"./css-BBfbkQ4Z.js";import{t as n}from"./scss-6l0uLbp8.js";import r from"./postcss-BXeXVLqQ.js";import i from"./less-DVTAw...
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    codemini-web/dist/assets/vue-vine-Di7Vc_-0.jsView on unpkg · L1
    codemini-web/dist/assets/MarkdownEditor-kQWDzhOR.jsView file
    11contains invisible/control Unicode U+200E (left-to-right mark) `&&F()}function K(){for(;Ho[N];)F()}function q(e){e===void 0&&(e=!1),K();for(var t=[be(e)];P(`,`);)F(),K(),t.push(be(e));return{type:`Selector`,rules:t}}function me(){B(`[`),K();var e;if(P(`|`)){L(y,`Namespaces are not enabled.`),F();var t=
    Critical
    Trojan Source Unicode

    Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

    codemini-web/dist/assets/MarkdownEditor-kQWDzhOR.jsView on unpkg · L11
    codemini-web/dist/animations/home/general/loader-cat-dark.lottieView file
    path = codemini-[redacted]-cat-dark.lottie kind = compressed_blob sizeBytes = 4034 magicHex = [redacted]
    Medium
    Ships Compressed Blob

    Package ships compressed or archive-like blobs.

    codemini-web/dist/animations/home/general/loader-cat-dark.lottieView on unpkg
    path = codemini-[redacted]-cat-dark.lottie kind = nested_archive_needs_inspection sizeBytes = 4034 magicHex = [redacted]
    Low
    Nested Archive Needs Inspection

    Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.

    codemini-web/dist/animations/home/general/loader-cat-dark.lottieView on unpkg
    codemini-web/dist/assets/GeistMono-Variable-Dispecij.woff2View file
    path = codemini-web/dist/assets/GeistMono-Variable-Dispecij.woff2 kind = high_entropy_blob sizeBytes = 71368 magicHex = [redacted]
    High
    Ships High Entropy Blob

    Package ships high-entropy non-source blobs.

    codemini-web/dist/assets/GeistMono-Variable-Dispecij.woff2View on unpkg

    Findings

    1 Critical1 High5 Medium6 Low
    CriticalTrojan Source Unicodecodemini-web/dist/assets/MarkdownEditor-kQWDzhOR.js
    HighShips High Entropy Blobcodemini-web/dist/assets/GeistMono-Variable-Dispecij.woff2
    MediumDynamic Requirecodemini-web/dist/assets/vue-vine-Di7Vc_-0.js
    MediumNetwork
    MediumEnvironment Vars
    MediumShips Compressed Blobcodemini-web/dist/animations/home/general/loader-cat-dark.lottie
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowFilesystem
    LowObfuscated
    LowHigh Entropy Strings
    LowUrl Strings
    LowNested Archive Needs Inspectioncodemini-web/dist/animations/home/general/loader-cat-dark.lottie