AI Security Review
scanned 8d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The package is an AI kernel/CLI with user-invoked mesh, MCP, provider, verification, and optional TUI install capabilities.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs infinicode commands such as run, mcp, serve, mission, providers, or install-tui.
Impact
User-authorized agent tasks may contact configured providers, run configured verification commands, or write app configuration.
Mechanism
package-aligned AI agent CLI and MCP control surface
Rationale
Static source inspection found powerful but package-aligned AI agent, MCP, network, and command execution features gated behind explicit CLI/API use, with no install-time execution or hidden exfiltration. Scanner concern about recovery-manager.js is noisy: the file implements retry/escalation decisions and does not execute commands or mutate external control surfaces.
Evidence
package.jsonbin/infinicode.jsdist/cli.jsdist/commands/mcp.jsdist/kernel/mcp/mcp-server.jsdist/kernel/recovery-manager.jsdist/kernel/verification-exec.js.opencode/plugins/home-logo-animation.tsxdist/commands/install-tui.jsdist/kernel/checkpoint-engine.jsdist/kernel/federation/node-identity.jsdist/kernel/federation/role-context.js
Network endpoints9
localhost:11434generativelanguage.googleapis.com/v1betaapi.groq.com/openaiopenrouter.ai/api/v1models.inference.ai.azure.comintegrate.api.nvidia.com/v1router.huggingface.co/v1html.duckduckgo.com/html/api.telegram.org
Decision evidence
public snapshotAI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for block
- dist/kernel/mcp/mcp-server.js exposes user-invoked MCP tools for dispatch, slash commands, persistent role, and autonomy goals.
- dist/kernel/verification-exec.js can spawn shell commands, but only via kernel verification flows.
- dist/commands/install-tui.js can download/copy a TUI binary into bin/ when explicitly invoked.
Evidence against
- package.json has no install/postinstall/prepare hook; only prepublishOnly builds before publishing.
- bin/infinicode.js only imports dist/cli.js; CLI actions are command-driven.
- dist/kernel/recovery-manager.js only classifies failures and chooses retry/provider/worker recovery decisions.
- .opencode/plugins/home-logo-animation.tsx is a Solid UI animation plugin with no network, filesystem writes, or process execution.
- Network use is aligned with configured Ollama/cloud providers, mesh peers, search/webhook plugins, or user-supplied install URL.
- No credential harvesting, hidden exfiltration endpoint, persistence outside app config, or AI-agent config hijack found.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsMinifiedUrlStrings
Source & flagged code
1 flagged · loading sourcedist/kernel/recovery-manager.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = infinicode@2.3.2
matchedIdentity = npm:aW5maW5pY29kZQ:2.3.2
similarity = 0.753
summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version.
dist/kernel/recovery-manager.jsView on unpkgFindings
1 Critical3 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/kernel/recovery-manager.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings