registry  /  codesema  /  0.2.0

codesema@0.2.0

Local merge request review, told as chapters. Your AI agent reviews, codesema displays.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Explicit review execution can run an agent command supplied by repository-local `.codesema/config.json`. This is a local configuration-injection/RCE risk, not install-time behavior.

Static reason
No blocking static signals were detected.
Trigger
User runs `codesema` or `codesema review` in a repository containing `.codesema/config.json`.
Impact
Arbitrary commands run with the invoking user's permissions; a configured agent may receive the repository diff and prompt.
Mechanism
Repository-configured shell command execution through `spawn(..., { shell: true })`.
Rationale
The package is not malicious by source intent and has no install-time execution or confirmed exfiltration. However, its trusted repository configuration reaches a shell execution sink, creating a concrete user-invoked arbitrary-command risk.
Evidence
package.jsondist/index.mjsREADME.mdweb-dist/assets/index-UY9qiCLI.js.codesema/config.json.codesema/PROMPT.md.codesema/input.json.codesema/review.json.codesema/agent-output.txt~/.config/codesema/config.json

Decision evidence

public snapshot
AI called this Suspicious at 89.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • dist/index.mjs loads repo `.codesema/config.json` and accepts its `agent` string.
  • dist/index.mjs `review()` uses configured `agent` when no CLI override is supplied.
  • dist/index.mjs `runAgent()` executes that string via `spawn(..., { shell: true })` in the repo.
  • A repository-controlled config can therefore cause arbitrary local command execution when the user explicitly runs `codesema review`.
Evidence against
  • package.json has no preinstall/install/postinstall hook.
  • All writes are review/config artifacts under `.codesema` or the user's codesema config directory.
  • Built-in server binds only to `127.0.0.1`; UI uses local `/api/*` endpoints.
  • No fixed external endpoint, credential harvesting, payload download, destructive deletion, or agent-control-surface mutation was found.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 178 KB of source, external domains: git-scm.com

Source & flagged code

3 flagged · loading source
dist/index.mjsView file
Published source reference
Medium
Ai Review Evidence

dist/index.mjs loads repo `.codesema/config.json` and accepts its `agent` string.

dist/index.mjsView on unpkg
Published source reference
Medium
Ai Review Evidence

dist/index.mjs `review()` uses configured `agent` when no CLI override is supplied.

dist/index.mjsView on unpkg
Published source reference
Medium
Ai Review Evidence

dist/index.mjs `runAgent()` executes that string via `spawn(..., { shell: true })` in the repo.

dist/index.mjsView on unpkg

Findings

7 Medium5 Low
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumAi Review Evidencedist/index.mjs
MediumAi Review Evidencedist/index.mjs
MediumAi Review Evidencedist/index.mjs
MediumAi Review Evidence
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings