registry  /  icoa-cli  /  2.19.353

icoa-cli@2.19.353

ICOA CLI — The world's first CLI-native cyber & AI security olympiad terminal: AI4CTF (Day 1), CTF4AI (Day 2), VLA4CTF (Pioneer Round — embodied AI)

AI Security Review

scanned 6d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. Risky primitives are present, including obfuscated challenge modules, user-invoked shell execution, Docker/nc spawning, and ICOA API calls, but they match the advertised CTF CLI behavior and are not install-time or hidden exfiltration paths.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
Explicit user CLI actions such as icoa, ctf4ai, ctf4eai, connect, shell, or sandbox commands
Impact
No confirmed unauthorized credential theft, persistence, destructive behavior, or hidden payload execution
Mechanism
user-invoked CTF tooling and ICOA API communication
Rationale
Static inspection found suspicious-looking obfuscation and dual-use CTF primitives, but the reachable behaviors are user-invoked competition features and the install hook is only cosmetic output. No concrete unconsented execution, credential harvesting, exfiltration, persistence, or destructive action was found.
Evidence
package.jsondist/postinstall.jsdist/index.jsdist/lib/tool-man.jsdist/commands/ctf4ai-demo.jsdist/commands/ctf4vla.jsdist/lib/gemini.jsdist/lib/config.jsdist/lib/sandbox.jsdist/commands/connect.js~/.icoa/config.json~/.icoa/budget.json~/.icoa/exam-state.json~/.icoa/demo-state.json~/icoa-workspace/q<N>.txt$TMPDIR/icoa-vla-<q>-<timestamp>.mp4
Network endpoints2
practice.icoa2026.auicoa2026.au

Decision evidence

public snapshot
AI called this Clean at 82.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/commands/ctf4ai-demo.js and dist/commands/ctf4vla.js are heavily obfuscated despite being CLI command modules.
  • dist/commands/ctf4ai-demo.js supports user-entered ! commands via execSync during an active CTF4AI session.
  • dist/lib/sandbox.js and dist/lib/interactive-spawn.js invoke docker/nc/ssh-style tools, but only from explicit CLI actions.
Evidence against
  • package.json postinstall only prints an install progress/banner and catches errors.
  • dist/index.js registers CLI commands; no import-time exfiltration or lifecycle attack observed.
  • dist/lib/tool-man.js is a static CTF tool cheatsheet; reverse-shell-like strings are netcat documentation examples.
  • dist/lib/gemini.js sends chat only to configured ICOA/CTFd server, defaulting to https://practice.icoa2026.au.
  • dist/lib/config.js stores config under ~/.icoa with chmod 0600 and does not harvest unrelated files.
  • Network and shell capabilities are package-aligned for a CTF competition CLI and user-triggered.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 83 file(s), 609 KB of source, external domains: aistudio.google.com, api.github.com, au.icoa2026.au, bootstrap.pypa.io, brew.sh, cdn.jsdelivr.net, deb.nodesource.com, github.com, icoa2026.au, nodejs.org, practice.icoa2026.au, python.org, raw.githubusercontent.com, registry.npmjs.org, www.docker.com, www.python.org

Source & flagged code

12 flagged · loading source
package.jsonView file
scripts.postinstall = node -e "try{require('./dist/postinstall.js')}catch(e){}"
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node -e "try{require('./dist/postinstall.js')}catch(e){}"
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/repl.jsView file
1import{createInterface as o}from"node:readline";import{spawn as e,execSync as l}from"node:child_process";import chalk from"chalk";import{isConnected as n,getConfig as t,saveConfig ...
High
Child Process

Package source references child process execution.

dist/repl.jsView on unpkg · L1
1import{createInterface as o}from"node:readline";import{spawn as e,execSync as l}from"node:child_process";import chalk from"chalk";import{isConnected as n,getConfig as t,saveConfig ...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/repl.jsView on unpkg · L1
1import{createInterface as o}from"node:readline";import{spawn as e,execSync as l}from"node:child_process";import chalk from"chalk";import{isConnected as n,getConfig as t,saveConfig ...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/repl.jsView on unpkg · L1
dist/commands/ctf4ai-demo.jsView file
1(function(b,f){const U=a0f,h=b();while(!![]){try{const j=-parseInt(U(0x199))/(0x7fc+-0x6b*0x31+0xc80)+-parseInt(U(0x251))/(0x6*-0x111+0x1e36+-0x17ce)*(-parseInt(U(0x1de))/(-0x1c88+...
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/commands/ctf4ai-demo.jsView on unpkg · L1
1(function(b,f){const U=a0f,h=b();while(!![]){try{const j=-parseInt(U(0x199))/(0x7fc+-0x6b*0x31+0xc80)+-parseInt(U(0x251))/(0x6*-0x111+0x1e36+-0x17ce)*(-parseInt(U(0x1de))/(-0x1c88+...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/commands/ctf4ai-demo.jsView on unpkg · L1
dist/commands/env.jsView file
1import chalk from"chalk";import{execSync as e}from"node:child_process";import{appendFileSync as o,existsSync as n,mkdirSync as t,readFileSync as r}from"node:fs";import{homedir as a...
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/commands/env.jsView on unpkg · L1
dist/lib/tool-man.jsView file
1import chalk from"chalk";export const TOOL_DOCS=[{name:"file",cat:"Forensics",summary:"identify a file type (always step 1)",ex:[["file mystery","what is this really? (extension li...
Critical
Reverse Shell

Source matches reverse-shell style process and socket wiring.

dist/lib/tool-man.jsView on unpkg · L1
1Trigger-reachable chain: manifest.bin -> dist/index.js -> dist/repl.js -> dist/lib/tool-man.js L1: import chalk from"chalk";export const TOOL_DOCS=[{name:"file",cat:"Forensics",summary:"identify a file type (always step 1)",ex:[["file mystery","what is this really? (extension li...
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/lib/tool-man.jsView on unpkg · L1
dist/commands/demo2.jsView file
1import chalk from"chalk";import{spawn as o}from"node:child_process";import{writeFileSync as e}from"node:fs";import{join as n}from"node:path";import{createInterface as t}from"node:r...
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/commands/demo2.jsView on unpkg · L1
dist/commands/ctf4vla.jsView file
matchType = previous_version_dangerous_delta matchedPackage = icoa-cli@2.19.352 matchedIdentity = npm:aWNvYS1jbGk:2.19.352 similarity = 0.952 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/commands/ctf4vla.jsView on unpkg

Findings

3 Critical6 High6 Medium5 Low
CriticalReverse Shelldist/lib/tool-man.js
CriticalTrigger Reachable Dangerous Capabilitydist/lib/tool-man.js
CriticalPrevious Version Dangerous Deltadist/commands/ctf4vla.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/repl.js
HighSame File Env Network Executiondist/repl.js
HighCommand Output Exfiltrationdist/repl.js
HighSandbox Evasion Gated Capabilitydist/commands/demo2.js
HighObfuscated Payload Loaderdist/commands/ctf4ai-demo.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/commands/ctf4ai-demo.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/commands/env.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings