AI Security Review
scanned 8d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is an AI kernel/CLI with broad user-invoked network, MCP, mesh, browser, and binary-install capabilities, but inspected behavior matches its stated functionality and is not activated at install/import time.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs CLI commands such as infinicode run, install-tui, serve, mcp, or mission run.
Impact
Configured provider keys and tasks may be sent to user-configured providers or peers during normal operation; no unconsented package-time exfiltration or mutation confirmed.
Mechanism
User-invoked AI execution kernel and mesh control CLI
Rationale
Static inspection found powerful but package-aligned CLI/MCP/mesh features and no consumer lifecycle execution, hidden credential harvesting, or unconsented AI-agent control-surface mutation. The scanner's dangerous-delta concern is explained by user-invoked TUI launch and provider routing code rather than concrete malware.
Evidence
package.jsonbin/infinicode.jsdist/cli.jsdist/commands/run.jsdist/commands/install-tui.jsdist/commands/mcp.jsdist/commands/serve.jsdist/kernel/federation/federation.jsdist/kernel/federation/role-context.js.opencode/tui.json.opencode/plugins/routing-mode-display.tsx.openkernel/node-identity.json.openkernel/role.json.openkernel/checkpoints/*.jsonbin/infinicode-tui
Network endpoints8
localhost:11434generativelanguage.googleapis.com/v1betaapi.groq.com/openaiopenrouter.ai/api/v1models.inference.ai.azure.comintegrate.api.nvidia.com/v1router.huggingface.co/v1html.duckduckgo.com/html/
Decision evidence
public snapshotAI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
- dist/commands/install-tui.js can copy/download a TUI binary into package bin when user runs install-tui.
- dist/commands/run.js spawns a resolved TUI binary and passes OPENCODE_CONFIG_CONTENT including configured provider keys.
- dist/commands/serve.js and dist/commands/mcp.js expose user-invoked mesh/MCP task dispatch surfaces.
Evidence against
- package.json has no install/postinstall hook; prepublishOnly is publisher-side only.
- bin/infinicode.js only imports dist/cli.js; commands run through commander actions, not at import time.
- Network calls are aligned with configured Ollama/cloud providers, user-supplied TUI URL, mesh peers, or documented plugins.
- Persistent writes are scoped to config-driven runtime state such as .openkernel identity, role, checkpoints, and optional TUI install.
- .opencode packaged plugins read config/display UI only; no control-surface writes or hidden reviewer/prompt manipulation found.
- No credential harvesting or unsolicited exfiltration path found in inspected sources.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsMinifiedUrlStrings
Source & flagged code
1 flagged · loading sourcedist/commands/run.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = infinicode@2.2.3
matchedIdentity = npm:aW5maW5pY29kZQ:2.2.3
similarity = 0.987
summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version.
dist/commands/run.jsView on unpkgFindings
1 Critical3 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/commands/run.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings