registry  /  copilotoffice  /  2.3.0

copilotoffice@2.3.0

A 2D pixel-art desktop game where you walk around a virtual office and interact with AI agents that run real GitHub Copilot CLI sessions — plan, debug, orchestrate fleets, and drive agents from Microsoft Teams.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The package is an explicitly launched Electron application that integrates Copilot CLI with optional Microsoft Teams automation.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `copilotoffice` and configures/uses its desktop or Teams features.
Impact
Can run Copilot CLI sessions in user-selected workspaces and use the user's Azure/Teams access; this is package-aligned functionality, not install-time compromise.
Mechanism
User-invoked Electron terminal orchestration using Copilot CLI and Microsoft APIs.
Rationale
Static inspection confirms powerful but package-aligned, user-invoked Copilot and Teams functionality. No lifecycle execution, stealth persistence, arbitrary payload retrieval, credential exfiltration, or foreign AI-agent control-surface mutation was found.
Evidence
package.jsonbin/copilotoffice.jsdist/electron/main.jsdist/electron/terminal/server.jsdist/electron/terminal/ipc-relay.jsdist/electron/terminal/events-watcher.js
Network endpoints4
graph.microsoft.comic3.teams.office.comteams.cloud.microsoftgo-msit.trouter.teams.microsoft.com

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `dist/electron/main.js` obtains Azure CLI tokens and calls Microsoft Graph/Teams.
  • `dist/electron/terminal/server.js` launches configured Copilot CLI sessions, including optional `--yolo` mode.
  • `dist/electron/main.js` runs a development file watcher only when the Electron app starts.
Evidence against
  • `package.json` has no preinstall, install, or postinstall lifecycle hook.
  • `bin/copilotoffice.js` only launches the packaged Electron application on explicit CLI invocation.
  • Token use targets declared Microsoft Graph and Teams endpoints; no arbitrary exfiltration endpoint found.
  • No source writes agent-control configuration, VCS hooks, startup persistence, or remote payload loader.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 8 file(s), 882 KB of source, external domains: bellard.org, github.com, graph.microsoft.com, ic3.teams.office.com, opensource.org, prunegames.com, steffe.se, teams.cloud.microsoft
Oversized source lightweight scan
dist/game.bundle.js7.74 MB file, sampled 256 KB
HighEntropyStringsMinifiedUrlStringsbellard.orggithub.comopensource.orgprunegames.comsteffe.se

Source & flagged code

5 flagged · loading source
bin/copilotoffice.jsView file
2L3: const { spawn } = require('child_process'); L4: const path = require('path');
High
Child Process

Package source references child process execution.

bin/copilotoffice.jsView on unpkg · L2
dist/electron/main.jsView file
matchType = previous_version_dangerous_delta matchedPackage = copilotoffice@2.1.0 matchedIdentity = npm:Y29waWxvdG9mZmljZQ:2.1.0 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/electron/main.jsView on unpkg
28var fs7 = __toESM(require("fs")); L29: var import_child_process4 = require("child_process"); L30: ... L44: var START_TIME_GRACE_MS = 2e3; L45: var DEFAULT_REGISTRY_FILE = path.join(process.cwd(), ".data", "pty-pids.json"); L46: function readPtyRegistry(file = DEFAULT_REGISTRY_FILE) { ... L48: const raw = fs.readFileSync(file, "utf8"); L49: const parsed = JSON.parse(raw); L50: if (!Array.isArray(parsed)) return []; ... L155: * 'copilot-ask-user' (agentId, toolId, requestId, question, options, freeform), L156: * 'session-meta-updated' (agentId, meta), 'terminal-exit' (agentId, exitCode). L157: * Accepts (via mainSubmitAnswer): 'submit-answer' (officeId, agentId, requestId?, answer, wasFreeform).
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/electron/main.jsView on unpkg · L28
2976if (fs7.existsSync(path8.join(process.cwd(), "src", "main.ts"))) { L2977: watcherProcess = (0, import_child_process4.spawn)("npx", ["esbuild", "src/main.ts", "--bundle", "--outfile=dist/game.bundle.js", "--platform=browser", "--format=iife", "--global-na... L2978: cwd: process.cwd(),
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/electron/main.jsView on unpkg · L2976
dist/game.bundle.jsView file
path = dist/game.bundle.js kind = oversized_source_file sizeBytes = 8119235 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/game.bundle.jsView on unpkg

Findings

1 Critical4 High3 Medium4 Low
CriticalPrevious Version Dangerous Deltadist/electron/main.js
HighChild Processbin/copilotoffice.js
HighSandbox Evasion Gated Capabilitydist/electron/main.js
HighRuntime Package Installdist/electron/main.js
HighOversized Source Filedist/game.bundle.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings