registry  /  icoa-cli  /  2.19.380

icoa-cli@2.19.380

ICOA CLI — The world's first CLI-native cyber & AI security olympiad terminal: AI4CTF (Day 1), CTF4AI (Day 2), VLA4CTF (Pioneer Round — embodied AI)

AI Security Review

scanned 2h ago · by lpm-firewall-ai

The CLI provides explicit interactive shell access and proctored-exam telemetry. In exam mode it can report shell input and detected AI binaries to the ICOA service; no install-time attack behavior was found.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User launches CLI exam/shell features after installation.
Impact
User commands and exam-related identity/device metadata may be sent to the ICOA service; host commands run only on explicit CLI use.
Mechanism
host-shell launch and exam telemetry POSTs
Rationale
Source inspection disproves the scanner's lifecycle and reverse-shell implications, but confirms opaque runtime code plus invasive proctoring telemetry and host-shell capability. These are not sufficient to establish malicious intent, but warrant a warning for users.
Evidence
package.jsondist/postinstall.jsdist/commands/shell.jsdist/lib/exam-sandbox.jsdist/lib/gemini.jsdist/commands/ctf4ai-demo.jsdist/commands/ctf4vla.jsdist/lib/tool-man.jsdist/lib/config.js
Network endpoints3
practice.icoa2026.au/api/icoa/exam-auditpractice.icoa2026.au/api/icoa/exam-ai-binariespractice.icoa2026.au/api/icoa/ai/chat

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `dist/lib/exam-sandbox.js` detects installed AI CLIs and POSTs detection data.
  • `dist/lib/exam-sandbox.js` records exam shell input, risk flags, device data, and auth identity to `practice.icoa2026.au`.
  • `dist/commands/shell.js` explicitly launches an interactive host shell when Docker is unavailable.
  • `dist/commands/ctf4ai-demo.js` and `dist/commands/ctf4vla.js` are deliberately obfuscated, limiting auditability.
Evidence against
  • `package.json` postinstall only displays progress; `dist/postinstall.js` has no network, file, or process mutation.
  • No `eval`, `Function`, VM execution, or hidden lifecycle payload was confirmed.
  • `dist/lib/tool-man.js` reverse-shell-like strings are CTF tool documentation, not executed socket code.
  • Observed network calls are to the package's ICOA competition endpoints and are reached by CLI/exam features.
  • No writes to AI-agent configuration files or credential-harvesting paths were found.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 98 file(s), 681 KB of source, external domains: aistudio.google.com, api.github.com, au.icoa2026.au, bootstrap.pypa.io, brew.sh, cdn.jsdelivr.net, deb.nodesource.com, github.com, icoa2026.au, nodejs.org, practice.icoa2026.au, python.org, raw.githubusercontent.com, registry.npmjs.org, www.docker.com, www.python.org

Source & flagged code

12 flagged · loading source
package.jsonView file
scripts.postinstall = node -e "try{require('./dist/postinstall.js')}catch(e){}"
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node -e "try{require('./dist/postinstall.js')}catch(e){}"
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/repl.jsView file
1import{createInterface as o}from"node:readline";import{spawn as e,execSync as t}from"node:child_process";import chalk from"chalk";import{isConnected as n,getConfig as l,saveConfig ...
High
Child Process

Package source references child process execution.

dist/repl.jsView on unpkg · L1
1import{createInterface as o}from"node:readline";import{spawn as e,execSync as t}from"node:child_process";import chalk from"chalk";import{isConnected as n,getConfig as l,saveConfig ...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/repl.jsView on unpkg · L1
1import{createInterface as o}from"node:readline";import{spawn as e,execSync as t}from"node:child_process";import chalk from"chalk";import{isConnected as n,getConfig as l,saveConfig ...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/repl.jsView on unpkg · L1
dist/commands/ctf4ai-demo.jsView file
1(function(b,f){const U=a0f,h=b();while(!![]){try{const j=-parseInt(U(0x25f))/(0x247*0x9+-0x23eb+0xf6d*0x1)*(-parseInt(U(0x24f))/(0x1154+0x10ad+0x21ff*-0x1))+parseInt(U(0x1f8))/(-0x...
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/commands/ctf4ai-demo.jsView on unpkg · L1
1(function(b,f){const U=a0f,h=b();while(!![]){try{const j=-parseInt(U(0x25f))/(0x247*0x9+-0x23eb+0xf6d*0x1)*(-parseInt(U(0x24f))/(0x1154+0x10ad+0x21ff*-0x1))+parseInt(U(0x1f8))/(-0x...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/commands/ctf4ai-demo.jsView on unpkg · L1
dist/commands/env.jsView file
1import chalk from"chalk";import{execSync as e}from"node:child_process";import{appendFileSync as o,existsSync as n,mkdirSync as t,readFileSync as r}from"node:fs";import{homedir as a...
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/commands/env.jsView on unpkg · L1
dist/lib/tool-man.jsView file
1import chalk from"chalk";export const TOOL_DOCS=[{name:"file",cat:"Forensics",summary:"identify a file type (always step 1)",ex:[["file mystery","what is this really? (extension li...
Critical
Reverse Shell

Source matches reverse-shell style process and socket wiring.

dist/lib/tool-man.jsView on unpkg · L1
1Trigger-reachable chain: manifest.bin -> dist/index.js -> dist/repl.js -> dist/lib/tool-man.js L1: import chalk from"chalk";export const TOOL_DOCS=[{name:"file",cat:"Forensics",summary:"identify a file type (always step 1)",ex:[["file mystery","what is this really? (extension li...
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/lib/tool-man.jsView on unpkg · L1
dist/commands/demo2.jsView file
1import chalk from"chalk";import{spawn as o}from"node:child_process";import{writeFileSync as e}from"node:fs";import{join as n}from"node:path";import{createInterface as t}from"node:r...
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/commands/demo2.jsView on unpkg · L1
dist/commands/ctf4vla.jsView file
matchType = previous_version_dangerous_delta matchedPackage = icoa-cli@2.19.379 matchedIdentity = npm:aWNvYS1jbGk:2.19.379 similarity = 0.949 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/commands/ctf4vla.jsView on unpkg

Findings

3 Critical7 High6 Medium4 Low
CriticalReverse Shelldist/lib/tool-man.js
CriticalTrigger Reachable Dangerous Capabilitydist/lib/tool-man.js
CriticalPrevious Version Dangerous Deltadist/commands/ctf4vla.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/repl.js
HighSame File Env Network Executiondist/repl.js
HighCommand Output Exfiltrationdist/repl.js
HighSandbox Evasion Gated Capabilitydist/commands/demo2.js
HighObfuscated Payload Loaderdist/commands/ctf4ai-demo.js
HighObfuscated
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/commands/ctf4ai-demo.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/commands/env.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings