registry  /  icoa-cli  /  2.19.375

icoa-cli@2.19.375

ICOA CLI — The world's first CLI-native cyber & AI security olympiad terminal: AI4CTF (Day 1), CTF4AI (Day 2), VLA4CTF (Pioneer Round — embodied AI)

AI Security Review

scanned 2h ago · by lpm-firewall-ai

User-invoked CTF/exam modes can execute a user-entered shell command and send competition telemetry. The package contains opaque command modules, limiting auditability, but no malicious install-time behavior was confirmed.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
Run `icoa` and enter the CTF4AI `!<command>` feature or an exam workflow.
Impact
A user can run arbitrary local commands; exam workflows may transmit entered-command audit data and AI-tool detection metadata to the package's competition service.
Mechanism
Interactive shell execution plus competition telemetry reporting.
Rationale
No concrete malicious install-time chain or foreign AI-agent control-surface mutation is present. The opaque interactive execution and command/identity telemetry are real unresolved risks that warrant a warning.
Evidence
package.jsondist/postinstall.jsdist/commands/ctf4ai-demo.jsdist/commands/ctf4vla.jsdist/lib/exam-sandbox.jsdist/lib/config.jsdist/commands/demo2.jsdist/lib/tool-man.js
Network endpoints3
practice.icoa2026.au/api/icoa/exam-auditpractice.icoa2026.au/api/icoa/exam-ai-binariespractice.icoa2026.au

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `dist/commands/ctf4ai-demo.js` is deliberately obfuscated and dynamically imports `execSync` to execute `!`-prefixed user input.
  • `dist/lib/exam-sandbox.js` collects AI CLI detections and shell-audit records, including command input and configured account/exam identity.
  • `dist/lib/exam-sandbox.js` POSTs audit and AI-binary reports to `https://practice.icoa2026.au/api/icoa/exam-audit` and `/api/icoa/exam-ai-binaries`.
  • `dist/commands/ctf4vla.js` downloads server-provided base64 video to a temp file and opens it through a platform viewer.
Evidence against
  • `package.json` postinstall only loads `dist/postinstall.js`; that file prints an installation progress banner.
  • No postinstall file writes, network requests, child processes, credential reads, or AI-agent configuration mutations were found.
  • The reported shell execution is an explicit interactive `!` command feature, not import-time execution.
  • `dist/lib/tool-man.js` is static CTF tool documentation; its reverse-shell wording is instructional text, not socket/process implementation.
  • Configuration persistence in `dist/lib/config.js` is package-owned under `~/.icoa/`.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 98 file(s), 678 KB of source, external domains: aistudio.google.com, api.github.com, au.icoa2026.au, bootstrap.pypa.io, brew.sh, cdn.jsdelivr.net, deb.nodesource.com, github.com, icoa2026.au, nodejs.org, practice.icoa2026.au, python.org, raw.githubusercontent.com, registry.npmjs.org, www.docker.com, www.python.org

Source & flagged code

12 flagged · loading source
package.jsonView file
scripts.postinstall = node -e "try{require('./dist/postinstall.js')}catch(e){}"
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node -e "try{require('./dist/postinstall.js')}catch(e){}"
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/repl.jsView file
1import{createInterface as o}from"node:readline";import{spawn as e,execSync as t}from"node:child_process";import chalk from"chalk";import{isConnected as n,getConfig as l,saveConfig ...
High
Child Process

Package source references child process execution.

dist/repl.jsView on unpkg · L1
1import{createInterface as o}from"node:readline";import{spawn as e,execSync as t}from"node:child_process";import chalk from"chalk";import{isConnected as n,getConfig as l,saveConfig ...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/repl.jsView on unpkg · L1
1import{createInterface as o}from"node:readline";import{spawn as e,execSync as t}from"node:child_process";import chalk from"chalk";import{isConnected as n,getConfig as l,saveConfig ...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/repl.jsView on unpkg · L1
dist/commands/ctf4ai-demo.jsView file
1(function(b,f){const U=a0f,h=b();while(!![]){try{const j=-parseInt(U(0x20f))/(0x35*-0x27+0x8*0xdf+0x11c*0x1)+parseInt(U(0x1f7))/(-0x1692*-0x1+0x402*-0x4+-0xd1*0x8)*(-parseInt(U(0x1...
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/commands/ctf4ai-demo.jsView on unpkg · L1
1(function(b,f){const U=a0f,h=b();while(!![]){try{const j=-parseInt(U(0x20f))/(0x35*-0x27+0x8*0xdf+0x11c*0x1)+parseInt(U(0x1f7))/(-0x1692*-0x1+0x402*-0x4+-0xd1*0x8)*(-parseInt(U(0x1...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/commands/ctf4ai-demo.jsView on unpkg · L1
dist/commands/env.jsView file
1import chalk from"chalk";import{execSync as e}from"node:child_process";import{appendFileSync as o,existsSync as n,mkdirSync as t,readFileSync as r}from"node:fs";import{homedir as a...
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/commands/env.jsView on unpkg · L1
dist/lib/tool-man.jsView file
1import chalk from"chalk";export const TOOL_DOCS=[{name:"file",cat:"Forensics",summary:"identify a file type (always step 1)",ex:[["file mystery","what is this really? (extension li...
Critical
Reverse Shell

Source matches reverse-shell style process and socket wiring.

dist/lib/tool-man.jsView on unpkg · L1
1Trigger-reachable chain: manifest.bin -> dist/index.js -> dist/repl.js -> dist/lib/tool-man.js L1: import chalk from"chalk";export const TOOL_DOCS=[{name:"file",cat:"Forensics",summary:"identify a file type (always step 1)",ex:[["file mystery","what is this really? (extension li...
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/lib/tool-man.jsView on unpkg · L1
dist/commands/demo2.jsView file
1import chalk from"chalk";import{spawn as o}from"node:child_process";import{writeFileSync as e}from"node:fs";import{join as n}from"node:path";import{createInterface as t}from"node:r...
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/commands/demo2.jsView on unpkg · L1
dist/commands/ctf4vla.jsView file
matchType = previous_version_dangerous_delta matchedPackage = icoa-cli@2.19.373 matchedIdentity = npm:aWNvYS1jbGk:2.19.373 similarity = 0.817 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/commands/ctf4vla.jsView on unpkg

Findings

3 Critical7 High6 Medium4 Low
CriticalReverse Shelldist/lib/tool-man.js
CriticalTrigger Reachable Dangerous Capabilitydist/lib/tool-man.js
CriticalPrevious Version Dangerous Deltadist/commands/ctf4vla.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/repl.js
HighSame File Env Network Executiondist/repl.js
HighCommand Output Exfiltrationdist/repl.js
HighSandbox Evasion Gated Capabilitydist/commands/demo2.js
HighObfuscated Payload Loaderdist/commands/ctf4ai-demo.js
HighObfuscated
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/commands/ctf4ai-demo.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/commands/env.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings