registry  /  jeo-code  /  0.7.29

jeo-code@0.7.29

Clean, highly optimized AI coding agent using spec-first loop

AI Security Review

scanned 6d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is an AI coding-agent CLI with expected network, credential storage, shell, and file-write capabilities that activate through explicit CLI/agent workflows.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs jeo commands such as launch/auth/setup/update or explicit installer scripts.
Impact
No hidden install-time/import-time credential theft, persistence, destructive action, or exfiltration identified by static inspection.
Mechanism
User-invoked AI agent tooling and OAuth provider integration
Rationale
Static inspection found powerful AI-agent capabilities, OAuth token handling, and network calls, but they are visible, user-invoked, and aligned with the package's stated AI coding-agent purpose. No lifecycle hook, hidden import-time execution, credential exfiltration, malicious endpoint, persistence, or reviewer manipulation was confirmed.
Evidence
package.jsonsrc/cli.tssrc/auth/oauth.tssrc/auth/storage.tssrc/auth/flows/anthropic.tssrc/auth/flows/openai.tssrc/auth/flows/google-project.tssrc/auth/flows/antigravity.tssrc/auth/flows/kimi.tssrc/agent/tools.tsscripts/install.shscripts/uninstall.sh
Network endpoints12
claude.ai/oauth/authorizeapi.anthropic.com/v1/oauth/tokenauth.openai.com/oauth/authorizeauth.openai.com/oauth/tokenauth.openai.com/api/accounts/deviceauth/usercodeauth.openai.com/api/accounts/deviceauth/tokenaccounts.google.com/o/oauth2/v2/authoauth2.googleapis.com/tokencloudcode-pa.googleapis.comauth.kimi.comapi.kimi.com/codingregistry.npmjs.org/jeo-code/latest

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • src/agent/tools.ts exposes user/model-invoked bash, write, edit, and rm-style tools as expected for an AI coding agent.
  • src/auth/storage.ts can auto-import ~/.gemini/oauth_creds.json during credential resolution and persists OAuth credentials under ~/.jeo config.
  • scripts/install.sh can install Bun via https://bun.sh/install and mutate npm registry config only when explicit flags are used.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks; bin/main point to src/cli.ts.
  • src/cli.ts only dispatches CLI args and sets terminal crash handling; no import-time exfiltration or payload execution found.
  • src/auth/oauth.ts and src/auth/flows/*.ts implement interactive OAuth/device flows to named providers, then store credentials locally via src/auth/storage.ts.
  • Network use is package-aligned: provider APIs, npm registry update check, GitHub/Bun installer script, and local OAuth callbacks.
  • Bundled AGENTS.md and prompt files are normal product prompts/docs; no reviewer/firewall manipulation instructions found.
  • Dangerous primitives are user-invoked CLI/agent functionality rather than lifecycle or hidden execution.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 184 file(s), 1.81 MB of source, external domains: accounts.google.com, api.anthropic.com, api.cerebras.ai, api.deepseek.com, api.fireworks.ai, api.groq.com, api.kimi.com, api.minimax.io, api.minimaxi.com, api.mistral.ai, api.moonshot.ai, api.openai.com, api.synthetic.new, api.together.xyz, api.venice.ai, api.x.ai, api.xiaomimimo.com, api.z.ai, auth.kimi.com, auth.openai.com, chatgpt.com, claude.ai, cloudcode-pa.googleapis.com, coding-intl.dashscope.aliyuncs.com, daily-cloudcode-pa.googleapis.com, daily-cloudcode-pa.sandbox.googleapis.com, duckduckgo.com, generativelanguage.googleapis.com, goo.gle, html.duckduckgo.com, integrate.api.nvidia.com, lite.duckduckgo.com, nano-gpt.com, oauth2.googleapis.com, openrouter.ai, portal.qwen.ai, qianfan.baidubce.com, registry.npmjs.org, router.huggingface.co, token-plan-ams.xiaomimimo.com, token-plan-cn.xiaomimimo.com, token-plan-sgp.xiaomimimo.com, tokenhub-intl.tencentcloudmaas.com, www.comet.com, www.googleapis.com, zenmux.ai

Source & flagged code

3 flagged · loading source
src/auth/oauth.tsView file
15label: "Anthropic Console (Claude)", L16: authorizeUrl: "https://claude.ai/oauth/authorize", L17: instructions: [ ... L60: const cmd = L61: process.platform === "darwin" ? ["open", url] : L62: process.platform === "win32" ? ["cmd", "/c", "start", "", url] : L63: ["xdg-open", url]; L64: const proc = Bun.spawn(cmd, { stdout: "ignore", stderr: "ignore" }); L65: await proc.exited;
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

src/auth/oauth.tsView on unpkg · L15
scripts/uninstall.shView file
path = scripts/uninstall.sh kind = build_helper sizeBytes = 1042 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/uninstall.shView on unpkg
src/commands/launch.tsView file
matchType = previous_version_dangerous_delta matchedPackage = jeo-code@0.7.26 matchedIdentity = npm:amVvLWNvZGU:0.7.26 similarity = 0.750 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

src/commands/launch.tsView on unpkg

Findings

1 Critical1 High4 Medium4 Low
CriticalPrevious Version Dangerous Deltasrc/commands/launch.ts
HighSandbox Evasion Gated Capabilitysrc/auth/oauth.ts
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperscripts/uninstall.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings