registry  /  jeo-code  /  0.7.25

jeo-code@0.7.25

Clean, highly optimized AI coding agent using spec-first loop

AI Security Review

scanned 7d ago · by lpm-firewall-ai

No confirmed malicious attack surface found. Network, credential storage, shell, and file-write primitives are package-aligned for an AI coding-agent CLI and are user-invoked rather than install-time.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs jeo commands such as auth login, setup, launch, update, or explicit installer script options.
Impact
Expected local agent actions and provider API calls; no credential harvesting or unsolicited exfiltration identified.
Mechanism
Interactive coding-agent CLI with OAuth/API-provider integrations and local config persistence
Rationale
Static inspection found a feature-rich AI coding CLI with expected OAuth, provider network calls, and user-directed shell/file tools, but no install-time execution, hidden payload, persistence, or unconsented exfiltration. Scanner flags map to package-aligned runtime capabilities rather than concrete malicious behavior.
Evidence
package.jsonsrc/cli.tssrc/auth/oauth.tssrc/auth/storage.tssrc/auth/flows/openai.tssrc/auth/flows/anthropic.tssrc/auth/flows/google.tssrc/commands/launch.tsscripts/install.shscripts/uninstall.sh~/.jeo/config.json~/.gemini/oauth_creds.json.npmrc
Network endpoints7
auth.openai.com/oauth/authorizeauth.openai.com/oauth/tokenclaude.ai/oauth/authorizeapi.anthropic.com/v1/oauth/tokenaccounts.google.com/o/oauth2/v2/authoauth2.googleapis.com/tokenregistry.npmjs.org/jeo-code/latest

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/preinstall/postinstall lifecycle hooks; bin/main are src/cli.ts.
    • src/cli.ts only dispatches CLI args and installs terminal cleanup handlers at startup.
    • src/auth/oauth.ts and src/auth/flows/* implement user-invoked OAuth against named providers and persist credentials locally.
    • src/auth/storage.ts can auto-import ~/.gemini/oauth_creds.json only during gemini credential resolution; no exfiltration found.
    • src/commands/launch.ts contains agent shell/file capabilities, but they are the advertised interactive coding-agent runtime.
    • scripts/install.sh registry/.npmrc changes require explicit flags; scripts are not lifecycle hooks.
    Behavioral surface
    Source
    ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 183 file(s), 1.75 MB of source, external domains: accounts.google.com, api.anthropic.com, api.cerebras.ai, api.deepseek.com, api.fireworks.ai, api.groq.com, api.minimax.io, api.minimaxi.com, api.mistral.ai, api.moonshot.ai, api.openai.com, api.synthetic.new, api.together.xyz, api.venice.ai, api.x.ai, api.xiaomimimo.com, api.z.ai, auth.openai.com, chatgpt.com, claude.ai, cloudcode-pa.googleapis.com, coding-intl.dashscope.aliyuncs.com, daily-cloudcode-pa.googleapis.com, daily-cloudcode-pa.sandbox.googleapis.com, duckduckgo.com, generativelanguage.googleapis.com, goo.gle, html.duckduckgo.com, integrate.api.nvidia.com, lite.duckduckgo.com, nano-gpt.com, oauth2.googleapis.com, openrouter.ai, portal.qwen.ai, qianfan.baidubce.com, registry.npmjs.org, router.huggingface.co, token-plan-ams.xiaomimimo.com, token-plan-cn.xiaomimimo.com, token-plan-sgp.xiaomimimo.com, tokenhub-intl.tencentcloudmaas.com, www.comet.com, www.googleapis.com, zenmux.ai

    Source & flagged code

    3 flagged · loading source
    src/auth/oauth.tsView file
    15label: "Anthropic Console (Claude)", L16: authorizeUrl: "https://claude.ai/oauth/authorize", L17: instructions: [ ... L51: const cmd = L52: process.platform === "darwin" ? ["open", url] : L53: process.platform === "win32" ? ["cmd", "/c", "start", "", url] : L54: ["xdg-open", url]; L55: const proc = Bun.spawn(cmd, { stdout: "ignore", stderr: "ignore" }); L56: await proc.exited;
    High
    Sandbox Evasion Gated Capability

    Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

    src/auth/oauth.tsView on unpkg · L15
    scripts/uninstall.shView file
    path = scripts/uninstall.sh kind = build_helper sizeBytes = 1042 magicHex = [redacted]
    Medium
    Ships Build Helper

    Package ships non-JavaScript build or shell helper files.

    scripts/uninstall.shView on unpkg
    src/commands/launch.tsView file
    matchType = previous_version_dangerous_delta matchedPackage = jeo-code@0.7.24 matchedIdentity = npm:amVvLWNvZGU:0.7.24 similarity = 0.983 summary = stored previous version shares package body but lacks this dangerous source file
    Critical
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version.

    src/commands/launch.tsView on unpkg

    Findings

    1 Critical1 High4 Medium4 Low
    CriticalPrevious Version Dangerous Deltasrc/commands/launch.ts
    HighSandbox Evasion Gated Capabilitysrc/auth/oauth.ts
    MediumNetwork
    MediumEnvironment Vars
    MediumShips Build Helperscripts/uninstall.sh
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings