registry  /  icoa-cli  /  2.19.352

icoa-cli@2.19.352

ICOA CLI — The world's first CLI-native cyber & AI security olympiad terminal: AI4CTF (Day 1), CTF4AI (Day 2), VLA4CTF (Pioneer Round — embodied AI)

AI Security Review

scanned 6d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. Risky primitives are tied to an interactive CTF/competition CLI and its declared AI/exam features, while install-time code is cosmetic.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install runs cosmetic postinstall; runtime features require user invoking icoa commands
Impact
No source-grounded credential theft, persistence, destructive action, or unsolicited code execution confirmed
Mechanism
package-aligned interactive CLI with CTF shell, AI chat, exam sync, and translation fetching
Rationale
Static inspection found suspicious primitives, but they are package-aligned for a CTF/AI competition CLI and are user-invoked or limited to configured ICOA services. The install hook is benign output only, and scanner reverse-shell/obfuscation hits do not establish concrete malicious behavior.
Evidence
package.jsondist/postinstall.jsdist/index.jsdist/repl.jsdist/commands/ctf4ai-demo.jsdist/commands/shell.jsdist/lib/tool-man.jsdist/lib/gemini.jsdist/lib/log-sync.jsdist/lib/config.js

Decision evidence

public snapshot
AI called this Clean at 83.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • package.json defines postinstall hook
  • dist/commands/ctf4ai-demo.js is obfuscated
  • dist/repl.js and dist/commands/shell.js expose user-invoked shell execution
  • dist/lib/log-sync.js can upload session.log to configured ICOA server
Evidence against
  • dist/postinstall.js only prints install progress/banner
  • dist/lib/tool-man.js reverse-shell hit is a CTF tool cheatsheet entry for nc/socat, not socket wiring
  • dist/lib/gemini.js sends chat to configured ICOA AI endpoint with competition context
  • dist/repl.js shell execution requires interactive CLI input and has sandbox/risk logging paths
  • dist/lib/config.js stores config under ~/.icoa with chmod 0600
  • Network endpoints are ICOA competition/translation/audit APIs aligned with package purpose
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 83 file(s), 610 KB of source, external domains: aistudio.google.com, api.github.com, au.icoa2026.au, bootstrap.pypa.io, brew.sh, cdn.jsdelivr.net, deb.nodesource.com, github.com, icoa2026.au, nodejs.org, practice.icoa2026.au, python.org, raw.githubusercontent.com, registry.npmjs.org, www.docker.com, www.python.org

Source & flagged code

11 flagged · loading source
package.jsonView file
scripts.postinstall = node -e "try{require('./dist/postinstall.js')}catch(e){}"
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node -e "try{require('./dist/postinstall.js')}catch(e){}"
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/repl.jsView file
1import{createInterface as o}from"node:readline";import{spawn as e,execSync as l}from"node:child_process";import chalk from"chalk";import{isConnected as n,getConfig as t,saveConfig ...
High
Child Process

Package source references child process execution.

dist/repl.jsView on unpkg · L1
1import{createInterface as o}from"node:readline";import{spawn as e,execSync as l}from"node:child_process";import chalk from"chalk";import{isConnected as n,getConfig as t,saveConfig ...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/repl.jsView on unpkg · L1
1import{createInterface as o}from"node:readline";import{spawn as e,execSync as l}from"node:child_process";import chalk from"chalk";import{isConnected as n,getConfig as t,saveConfig ...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/repl.jsView on unpkg · L1
dist/commands/ctf4ai-demo.jsView file
1(function(b,f){const U=a0f,h=b();while(!![]){try{const j=-parseInt(U(0x270))/(0x12e9+0x10*0x14b+-0x2798)+-parseInt(U(0x26c))/(-0x2c3+-0xe79+-0x2*-0x89f)+parseInt(U(0x1da))/(-0x1*0x...
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/commands/ctf4ai-demo.jsView on unpkg · L1
1(function(b,f){const U=a0f,h=b();while(!![]){try{const j=-parseInt(U(0x270))/(0x12e9+0x10*0x14b+-0x2798)+-parseInt(U(0x26c))/(-0x2c3+-0xe79+-0x2*-0x89f)+parseInt(U(0x1da))/(-0x1*0x...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/commands/ctf4ai-demo.jsView on unpkg · L1
dist/commands/env.jsView file
1import chalk from"chalk";import{execSync as e}from"node:child_process";import{appendFileSync as o,existsSync as n,mkdirSync as t,readFileSync as r}from"node:fs";import{homedir as a...
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/commands/env.jsView on unpkg · L1
dist/lib/tool-man.jsView file
1import chalk from"chalk";export const TOOL_DOCS=[{name:"file",cat:"Forensics",summary:"identify a file type (always step 1)",ex:[["file mystery","what is this really? (extension li...
Critical
Reverse Shell

Source matches reverse-shell style process and socket wiring.

dist/lib/tool-man.jsView on unpkg · L1
1Trigger-reachable chain: manifest.bin -> dist/index.js -> dist/repl.js -> dist/lib/tool-man.js L1: import chalk from"chalk";export const TOOL_DOCS=[{name:"file",cat:"Forensics",summary:"identify a file type (always step 1)",ex:[["file mystery","what is this really? (extension li...
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/lib/tool-man.jsView on unpkg · L1
dist/commands/demo2.jsView file
1import chalk from"chalk";import{spawn as o}from"node:child_process";import{writeFileSync as e}from"node:fs";import{join as n}from"node:path";import{createInterface as t}from"node:r...
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/commands/demo2.jsView on unpkg · L1

Findings

2 Critical6 High6 Medium5 Low
CriticalReverse Shelldist/lib/tool-man.js
CriticalTrigger Reachable Dangerous Capabilitydist/lib/tool-man.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/repl.js
HighSame File Env Network Executiondist/repl.js
HighCommand Output Exfiltrationdist/repl.js
HighSandbox Evasion Gated Capabilitydist/commands/demo2.js
HighObfuscated Payload Loaderdist/commands/ctf4ai-demo.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/commands/ctf4ai-demo.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/commands/env.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings