AI Security Review
scanned 2h ago · by lpm-firewall-aiAn explicit standalone update action fetches a remote shell script and executes it locally. This is an unverified remote-code-execution capability, but it is not install-time or automatic.
Decision evidence
public snapshot- `cli/update.js` standalone update downloads GitHub script then executes it with `bash` without signature verification.
- The printed SHA-256 checksum is not compared to a trusted value before execution.
- `cli.js` manages and can write Codex, Claude, OpenCode, and OpenClaw configuration files.
- `package.json` contains no preinstall, install, postinstall, or prepare lifecycle hook.
- The remote script path is reachable only through the explicit `codexmate update` command.
- No eval/vm/new Function remote-payload execution was found; base64 use handles HTTP Basic auth and ZIP uploads.
- Web UI config writes are guarded by per-tool write permissions.
Source & flagged code
6 flagged · loading sourcePackage source references child process execution.
cli/archive-helpers.jsView on unpkg · L345Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.
cli.jsView on unpkg · L9A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
cli.jsView on unpkgSource gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
cli/update.jsView on unpkg · L3Package ships non-JavaScript build or shell helper files.
skills/codexmate-project-context-recovery/scripts/search_sessions.pyView on unpkg