AI Security Review
scanned 6h ago · by lpm-firewall-aiNo confirmed malicious install-time or import-time behavior. The package is a user-invoked coding agent that can run workspace commands and contact a user-configured model gateway.
Decision evidence
public snapshot- package.json has no preinstall/install/postinstall lifecycle hook.
- bin/coder.js only dispatches explicit CLI arguments to src/cli.js.
- Configured model traffic defaults to local http://127.0.0.1:8000/v1.
- No bidi control characters found in inspected MarkdownEditor bundle.
Source & flagged code
5 flagged · loading sourcePackage source references dynamic require/import behavior.
codemini-web/dist/assets/vue-vine-Di7Vc_-0.jsView on unpkg · L1Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
codemini-web/dist/assets/MarkdownEditor-kQWDzhOR.jsView on unpkg · L11Package ships compressed or archive-like blobs.
codemini-web/dist/animations/home/general/loader-cat-dark.lottieView on unpkgPackage ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.
codemini-web/dist/animations/home/general/loader-cat-dark.lottieView on unpkgPackage ships high-entropy non-source blobs.
codemini-web/dist/assets/GeistMono-Variable-Dispecij.woff2View on unpkg