registry  /  justcode-cli  /  0.2.0

justcode-cli@0.2.0

JustCode - an interactive terminal coding assistant CLI

AI Security Review

scanned 21h ago · by lpm-firewall-ai

The package is a thin launcher for a prebuilt JustCode CLI binary. The unresolved risk is the install/runtime download of an opaque executable, not confirmed malicious JS behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall or first justcode CLI run
Impact
Uninspectable native/self-contained binary could perform actions beyond reviewed JS sources if the release asset is malicious.
Mechanism
download package-aligned platform binary and spawn it
Attack narrative
On install, postinstall calls ensureBinary, which downloads a platform-specific executable from the package repository's GitHub release into dist-bin and marks it executable. If install scripts are skipped, the bin launcher repeats the download on first run and then spawns the binary. The reviewed JS source does not show credential theft, persistence, destructive behavior, or AI-agent control hijacking, but the actual binary payload is outside the package contents.
Rationale
Static inspection supports a package-aligned CLI launcher, but the release binary is a staged executable payload unavailable for review in this tarball. This warrants a warning rather than a publish block because no concrete malicious behavior or unconsented foreign control-surface mutation appears in the packaged source.
Evidence
package.jsonscripts/postinstall.mjsscripts/lib/download-binary.mjsscripts/lib/platform.mjsbin/justcode.mjsREADME.mddist-bin/justcode-<os>-<arch>dist-bin/justcode-<os>-<arch>.download
Network endpoints1
github.com/kingeke/justcode/releases/download/v0.2.0/justcode-<os>-<arch>

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json postinstall runs node scripts/postinstall.mjs during install.
  • scripts/lib/download-binary.mjs downloads a platform executable from GitHub Releases and chmods it executable.
  • bin/justcode.mjs lazily downloads the same binary if missing, then spawns it with inherited stdio.
  • Distributed package does not include the actual binary source/payload for static inspection.
Evidence against
  • Download URL is derived from package.json repository kingeke/justcode and version v0.2.0, matching package purpose.
  • No source writes to foreign AI-agent control surfaces, shell startup files, VCS hooks in consumer projects, or home config files were found.
  • No credential harvesting, env enumeration, destructive actions, persistence, or exfiltration logic found in packaged JS sources.
  • postinstall only downloads into the package-local dist-bin path and has JUSTCODE_SKIP_DOWNLOAD opt-out.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 5.78 KB of source, external domains: github.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High3 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowUrl Strings