registry  /  codesema  /  0.2.2

codesema@0.2.2

Local merge request review, told as chapters. Your AI agent reviews, codesema displays.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The CLI deliberately runs a selected review-agent command only during an explicit `codesema review` action, with a guard for repo-provided commands.

Static reason
No blocking static signals were detected.
Trigger
User runs `codesema review`; a repo-configured agent additionally requires interactive approval unless explicitly overridden.
Impact
The selected agent receives the prepared review prompt and runs with the user's permissions; this is disclosed and guarded rather than stealth install-time execution.
Mechanism
Local git review preparation, loopback UI, and user-selected agent subprocess execution.
Rationale
Source inspection shows an explicit local code-review CLI, not an install-time or covert payload. Its shell subprocess capability is package-aligned and protects repo-supplied commands with interactive trust-on-first-use approval.
Evidence
package.jsondist/index.mjsREADME.md~/.config/codesema/config.json~/.config/codesema/trusted-agents.json.codesema/.gitignore.codesema/config.json.codesema/input.json.codesema/review.json.codesema/agent-output.txt.codesema/reviews/*.json
Network endpoints1
localhost:${port}

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `dist/index.mjs` uses `spawn(..., {shell:true})` to run an AI-agent command during `codesema review`.
  • A repo `.codesema/config.json` can supply that command, creating a user-project command-execution surface.
Evidence against
  • `package.json` has no preinstall/install/postinstall hook; `prepublishOnly` is publish-time only.
  • `dist/index.mjs` requires interactive one-time approval for a repo-provided agent command and rejects it unattended.
  • The CLI binds its UI server to `127.0.0.1` and rejects non-loopback API Host headers.
  • No outbound network API, credential harvesting, dynamic evaluation, payload download, or destructive filesystem operation was found.
  • Writes are limited to user-selected config and `.codesema` review artifacts.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 182 KB of source, external domains: git-scm.com

Source & flagged code

2 flagged · loading source
dist/index.mjsView file
Published source reference
Low
Ai Review Evidence

`dist/index.mjs` uses `spawn(..., {shell:true})` to run an AI-agent command during `codesema review`.

dist/index.mjsView on unpkg
codesema/config.jsonView file
Published source reference
Low
Ai Review Evidence

A repo `.codesema/config.json` can supply that command, creating a user-project command-execution surface.

codesema/config.jsonView on unpkg

Findings

3 Medium7 Low
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowAi Review Evidencedist/index.mjs
LowAi Review Evidencecodesema/config.json