registry  /  codeseek  /  0.1.30

codeseek@0.1.30

Code intelligence CLI for Claude Code — AST call graph analysis and hybrid semantic search (Dense + Sparse + RRF + Cross-Encoder Reranker) across 7 languages. Ships as MCP tools for Claude Code & Codex CLI.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

A user-running CLI bootstrap downloads and executes an unchecked native binary. The install lifecycle import is inert because the module has no import-time download call.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `codeseek` when `~/.codeseek/bin/codeseek` is absent.
Impact
A compromised release artifact or accepted redirect can execute arbitrary code as the invoking user.
Mechanism
Unchecked remote binary download followed by local execution with inherited environment.
Rationale
Source inspection does not prove the package is malicious, and its postinstall hook is inert. However, executing an unsigned remotely fetched binary creates an unresolved, concrete high-impact risk.
Evidence
package.jsondist/install/download.jsdist/bin/codeseek.jsREADME.md~/.codeseek/config.json~/.codeseek/bin/codeseek
Network endpoints1
github.com/CodeBendKit/codeseek/releases/download/

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/install/download.js` downloads a platform executable without checksum or signature validation.
  • `dist/install/download.js` follows server-provided redirects before writing the executable.
  • `dist/bin/codeseek.js` executes the downloaded `~/.codeseek/bin/codeseek` via `spawnSync` with inherited environment.
  • The package’s declared `postinstall` imports the downloader module.
Evidence against
  • The imported downloader only defines/exports `downloadBinary`; it does not download or execute during `postinstall`.
  • Configuration token input occurs only in the interactive CLI wizard and is written locally to `~/.codeseek/config.json`.
  • The inspected JavaScript wrapper contains no credential harvesting, exfiltration, destructive action, or AI-agent configuration mutation.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 13.0 KB of source, external domains: api.siliconflow.cn, cloud.siliconflow.cn, github.com, platform.openai.com, siliconflow.cn

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node -e "var f='dist/install/download.js';require('fs').existsSync(f)&&require('./'+f)" || true
Critical
Red Install Lifecycle Script

Install-time lifecycle script matches a deterministic static-gate block pattern.

package.jsonView on unpkg
scripts.postinstall = node -e "var f='dist/install/download.js';require('fs').existsSync(f)&&require('./'+f)" || true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg

Findings

1 Critical1 High3 Medium5 Low
CriticalRed Install Lifecycle Scriptpackage.json
HighInstall Time Lifecycle Scriptspackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings