registry  /  codexmate  /  0.1.3

codexmate@0.1.3

Codex/Claude Code/OpenClaw 配置、会话与任务编排 CLI + Web 工具

AI Security Review

scanned 2h ago · by lpm-firewall-ai

An explicit update command can fetch and execute a remote shell script from a mutable branch. The CLI also manages user-selected AI tool configuration files.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User runs `codexmate update` on a standalone installation.
Impact
A compromised GitHub branch or delivery path could execute arbitrary commands as the invoking user.
Mechanism
Remote shell-script download and execution without content verification.
Rationale
The package is not concretely malicious from inspected source: there are no lifecycle hooks and the risky path is user-invoked. It nevertheless exposes unverified remote code execution and AI-tool configuration mutation, warranting a warning.
Evidence
package.jsoncli.jscli/update.jscli/config-bootstrap.js~/.codex/config.toml~/.codex/auth.json~/.codex/codexmate-init.json$TMPDIR/codexmate-install-<timestamp>.sh
Network endpoints2
registry.npmjs.org/codexmate/latestraw.githubusercontent.com/SakuraByteCore/codexmate/main/scripts/install.sh

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `cli/update.js` downloads a mutable GitHub install script and executes it with `bash`.
  • The standalone updater performs no signature, checksum comparison, or version pinning.
  • `cli.js` can bootstrap and write Codex configuration on ordinary CLI invocation.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
  • The remote-script path is reachable only through explicit `codexmate update`.
  • No `eval`, `Function`, VM execution, or decoded-payload execution was found.
  • Config writes are guarded for `run`/MCP and default tool-write permissions are false.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedProtestwareTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 112 file(s), 3.68 MB of source, external domains: 127.0.0.1, ai.muapi.cn, aihubmix.com, anyrouter.top, api-inference.modelscope.cn, api.88code.ai, api.anthropic.com, api.deepseek.com, api.example.com, api.kimi.com, api.longcat.chat, api.minimax.io, api.minimaxi.com, api.moonshot.cn, api.openai.com, api.tbox.cn, api.xiaomimimo.com, api.z.ai, app.kilo.ai, ark.cn-beijing.volces.com, chatgpt.com, coding.dashscope.aliyuncs.com, example.com, github.com, mirrors.cloud.tencent.com, open.bigmodel.cn, opencode.ai, raw.githubusercontent.com, registry.example.com, registry.npmjs.org, registry.npmmirror.com, token-plan-cn.xiaomimimo.com, vanchin.streamlake.ai, voyage.prod.telepub.cn, www.dmxapi.cn, www.packyapi.com, www.w3.org

Source & flagged code

7 flagged · loading source
cli/archive-helpers.jsView file
345if (typeof execFileSync === 'function') { L346: execFileSync(zipTool.cmd, ['-0', '-q', '-r', zipFilePath, dirPath], { stdio: 'ignore' }); L347: } else {
High
Child Process

Package source references child process execution.

cli/archive-helpers.jsView on unpkg · L345
cli.jsView file
9const yauzl = require('yauzl'); L10: const { exec, execSync, execFileSync, spawn, spawnSync } = require('child_process'); L11: const http = require('http'); L12: const https = require('https'); ... L191: // ============================================================================ L192: const CONFIG_DIR = path.join(os.homedir(), '.codex'); L193: const CONFIG_FILE = path.join(CONFIG_DIR, 'config.toml'); L194: const AUTH_FILE = path.join(CONFIG_DIR, 'auth.json'); L195: const OPENCODE_CONFIG_DIR = path.join(process.env.XDG_CONFIG_HOME || path.join(os.homedir(), '.config'), 'opencode'); L196: const KILOCODE_CONFIG_DIR = path.join(process.env.XDG_CONFIG_HOME || path.join(os.homedir(), '.config'), 'kilo'); ... L586: const { L587: stdoutPidSet = seenPids,
Critical
Remote Asset Decode Execute

Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.

cli.jsView on unpkg · L9
Trigger-reachable chain: manifest.main -> cli.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

cli.jsView on unpkg
matchType = previous_version_dangerous_delta matchedPackage = codexmate@0.1.2 matchedIdentity = npm:Y29kZXhtYXRl:0.1.2 similarity = 0.856 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

cli.jsView on unpkg
9const yauzl = require('yauzl'); L10: const { exec, execSync, execFileSync, spawn, spawnSync } = require('child_process'); L11: const http = require('http'); L12: const https = require('https'); ... L191: // ============================================================================ L192: const CONFIG_DIR = path.join(os.homedir(), '.codex'); L193: const CONFIG_FILE = path.join(CONFIG_DIR, 'config.toml'); L194: const AUTH_FILE = path.join(CONFIG_DIR, 'auth.json'); L195: const OPENCODE_CONFIG_DIR = path.join(process.env.XDG_CONFIG_HOME || path.join(os.homedir(), '.config'), 'opencode'); L196: const KILOCODE_CONFIG_DIR = path.join(process.env.XDG_CONFIG_HOME || path.join(os.homedir(), '.config'), 'kilo'); ... L586: const { L587: stdoutPidSet = seenPids,
Low
Weak Crypto

Package source references weak cryptographic algorithms.

cli.jsView on unpkg · L9
cli/update.jsView file
3const os = require('os'); L4: const https = require('https'); L5: const { execSync, spawn } = require('child_process'); L6: ... L10: async function cmdToolUpdate(args = []) { L11: const pkg = require('../package.json'); L12: const currentVersion = pkg.version; ... L87: } L88: const json = JSON.parse(data); L89: finish(resolve, json.version || ''); ... L153: function detectInstallMethod() { L154: const cliPath = path.resolve(__dirname, '..');
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

cli/update.jsView on unpkg · L3
skills/codexmate-project-context-recovery/scripts/search_sessions.pyView file
path = skills/codexmate-project-context-recovery/scripts/search_sessions.py kind = build_helper sizeBytes = 21210 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

skills/codexmate-project-context-recovery/scripts/search_sessions.pyView on unpkg

Findings

3 Critical3 High5 Medium6 Low
CriticalRemote Asset Decode Executecli.js
CriticalTrigger Reachable Dangerous Capabilitycli.js
CriticalPrevious Version Dangerous Deltacli.js
HighChild Processcli/archive-helpers.js
HighShell
HighSandbox Evasion Gated Capabilitycli/update.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumShips Build Helperskills/codexmate-project-context-recovery/scripts/search_sessions.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptocli.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings