AI Security Review
scanned 6h ago · by lpm-firewall-aiNo confirmed malicious install-time or import-time attack surface was found. The package is an explicit-user CLI coding agent with shell, file, and web tools governed by workspace and command policy.
Decision evidence
public snapshot- package.json has no preinstall/install/postinstall lifecycle hook.
- bin/coder.js only invokes the CLI after explicit user execution.
- src/core/tools.js exposes fetch/search only as agent tools, not import-time behavior.
- src/core/tools.js confines workspace file mutations to resolved allowed roots.
- src/core/shell.js and src/core/command-policy.js apply command blocking/approval policy.
- Scanner-hit dist assets are bundled editor/UI dependencies; no concrete payload chain found.
Source & flagged code
5 flagged · loading sourcePackage source references dynamic require/import behavior.
codemini-web/dist/assets/vue-vine-Di7Vc_-0.jsView on unpkg · L1Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
codemini-web/dist/assets/MarkdownEditor-kQWDzhOR.jsView on unpkg · L11Package ships compressed or archive-like blobs.
codemini-web/dist/animations/home/general/loader-cat-dark.lottieView on unpkgPackage ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.
codemini-web/dist/animations/home/general/loader-cat-dark.lottieView on unpkgPackage ships high-entropy non-source blobs.
codemini-web/dist/assets/GeistMono-Variable-Dispecij.woff2View on unpkg