registry  /  codexmate  /  0.1.1

codexmate@0.1.1

Codex/Claude Code/OpenClaw 配置、会话与任务编排 CLI + Web 工具

AI Security Review

scanned 2h ago · by lpm-firewall-ai

An explicit standalone update action fetches a remote shell script and executes it locally. This is an unverified remote-code-execution capability, but it is not install-time or automatic.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `codexmate update` from a standalone installation on non-Windows.
Impact
A compromised GitHub-hosted installer path can execute arbitrary code with the invoking user's privileges.
Mechanism
curl-download then bash-execute remote installer
Rationale
Source inspection confirms an explicit but unverified remote installer execution path. It does not establish stealthy or install-time malicious behavior, so a warning is proportionate rather than a block.
Evidence
cli/update.jscli.jspackage.json
Network endpoints2
registry.npmjs.org/codexmate/latestraw.githubusercontent.com/SakuraByteCore/codexmate/main/scripts/install.sh

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `cli/update.js` standalone update downloads GitHub script then executes it with `bash` without signature verification.
  • The printed SHA-256 checksum is not compared to a trusted value before execution.
  • `cli.js` manages and can write Codex, Claude, OpenCode, and OpenClaw configuration files.
Evidence against
  • `package.json` contains no preinstall, install, postinstall, or prepare lifecycle hook.
  • The remote script path is reachable only through the explicit `codexmate update` command.
  • No eval/vm/new Function remote-payload execution was found; base64 use handles HTTP Basic auth and ZIP uploads.
  • Web UI config writes are guarded by per-tool write permissions.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedProtestwareTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 111 file(s), 3.62 MB of source, external domains: 127.0.0.1, ai.muapi.cn, aihubmix.com, anyrouter.top, api-inference.modelscope.cn, api.88code.ai, api.anthropic.com, api.deepseek.com, api.example.com, api.kimi.com, api.longcat.chat, api.minimax.io, api.minimaxi.com, api.moonshot.cn, api.openai.com, api.tbox.cn, api.xiaomimimo.com, api.z.ai, ark.cn-beijing.volces.com, chatgpt.com, coding.dashscope.aliyuncs.com, example.com, github.com, mirrors.cloud.tencent.com, open.bigmodel.cn, opencode.ai, raw.githubusercontent.com, registry.example.com, registry.npmjs.org, registry.npmmirror.com, token-plan-cn.xiaomimimo.com, vanchin.streamlake.ai, voyage.prod.telepub.cn, www.dmxapi.cn, www.packyapi.com, www.w3.org

Source & flagged code

6 flagged · loading source
cli/archive-helpers.jsView file
345if (typeof execFileSync === 'function') { L346: execFileSync(zipTool.cmd, ['-0', '-q', '-r', zipFilePath, dirPath], { stdio: 'ignore' }); L347: } else {
High
Child Process

Package source references child process execution.

cli/archive-helpers.jsView on unpkg · L345
cli.jsView file
9const yauzl = require('yauzl'); L10: const { exec, execSync, execFileSync, spawn, spawnSync } = require('child_process'); L11: const http = require('http'); L12: const https = require('https'); ... L191: // ============================================================================ L192: const CONFIG_DIR = path.join(os.homedir(), '.codex'); L193: const CONFIG_FILE = path.join(CONFIG_DIR, 'config.toml'); L194: const AUTH_FILE = path.join(CONFIG_DIR, 'auth.json'); L195: const OPENCODE_CONFIG_DIR = path.join(process.env.XDG_CONFIG_HOME || path.join(os.homedir(), '.config'), 'opencode'); L196: const OPENCODE_CONFIG_ENV_FILE = process.env.OPENCODE_CONFIG ? path.resolve(process.env.OPENCODE_CONFIG) : ''; ... L577: const { L578: stdoutPidSet = seenPids,
Critical
Remote Asset Decode Execute

Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.

cli.jsView on unpkg · L9
Trigger-reachable chain: manifest.main -> cli.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

cli.jsView on unpkg
9const yauzl = require('yauzl'); L10: const { exec, execSync, execFileSync, spawn, spawnSync } = require('child_process'); L11: const http = require('http'); L12: const https = require('https'); ... L191: // ============================================================================ L192: const CONFIG_DIR = path.join(os.homedir(), '.codex'); L193: const CONFIG_FILE = path.join(CONFIG_DIR, 'config.toml'); L194: const AUTH_FILE = path.join(CONFIG_DIR, 'auth.json'); L195: const OPENCODE_CONFIG_DIR = path.join(process.env.XDG_CONFIG_HOME || path.join(os.homedir(), '.config'), 'opencode'); L196: const OPENCODE_CONFIG_ENV_FILE = process.env.OPENCODE_CONFIG ? path.resolve(process.env.OPENCODE_CONFIG) : ''; ... L577: const { L578: stdoutPidSet = seenPids,
Low
Weak Crypto

Package source references weak cryptographic algorithms.

cli.jsView on unpkg · L9
cli/update.jsView file
3const os = require('os'); L4: const https = require('https'); L5: const { execSync, spawn } = require('child_process'); L6: ... L10: async function cmdToolUpdate(args = []) { L11: const pkg = require('../package.json'); L12: const currentVersion = pkg.version; ... L87: } L88: const json = JSON.parse(data); L89: finish(resolve, json.version || ''); ... L153: function detectInstallMethod() { L154: const cliPath = path.resolve(__dirname, '..');
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

cli/update.jsView on unpkg · L3
skills/codexmate-project-context-recovery/scripts/search_sessions.pyView file
path = skills/codexmate-project-context-recovery/scripts/search_sessions.py kind = build_helper sizeBytes = 21210 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

skills/codexmate-project-context-recovery/scripts/search_sessions.pyView on unpkg

Findings

2 Critical3 High5 Medium6 Low
CriticalRemote Asset Decode Executecli.js
CriticalTrigger Reachable Dangerous Capabilitycli.js
HighChild Processcli/archive-helpers.js
HighShell
HighSandbox Evasion Gated Capabilitycli/update.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumShips Build Helperskills/codexmate-project-context-recovery/scripts/search_sessions.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptocli.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings