registry  /  justcode-cli  /  0.3.2

justcode-cli@0.3.2

JustCode - an interactive terminal coding assistant CLI

AI Security Review

scanned 19m ago · by lpm-firewall-ai

The package is a thin npm wrapper that obtains and executes a prebuilt JustCode binary. The risk is an install-time or first-run opaque executable download rather than confirmed malicious JavaScript behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
npm postinstall or running the justcode bin
Impact
Executes a GitHub release binary outside the inspected source with user CLI privileges
Mechanism
package-aligned remote binary download and spawn
Attack narrative
On install, postinstall calls ensureBinary, which downloads a platform-specific executable from the project's GitHub Releases, writes it under dist-bin, marks it executable, and renames it into place. If install scripts were skipped, the bin launcher performs the same download lazily and then spawns the binary.
Rationale
Source inspection shows no confirmed malware or unconsented AI-agent control-surface mutation, but the package lifecycle fetches and executes an opaque release binary without an integrity check. That warrants a warn-level staged payload risk rather than a publish block because the endpoint and behavior are package-aligned.
Evidence
package.jsonscripts/postinstall.mjsscripts/lib/download-binary.mjsscripts/lib/platform.mjsbin/justcode.mjsdist-bin/justcode-<os>-<arch>dist-bin/justcode-<os>-<arch>.download
Network endpoints1
github.com/kingeke/justcode/releases/download/v0.3.2/justcode-<os>-<arch>

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json defines postinstall: node scripts/postinstall.mjs
  • scripts/lib/download-binary.mjs downloads a platform executable from GitHub Releases during install or first run
  • downloaded executable is chmod 755 and moved to dist-bin without checksum/signature verification
  • bin/justcode.mjs spawns the downloaded binary with inherited stdio
Evidence against
  • download URL is derived from package repository github.com/kingeke/justcode and version tag
  • postinstall can be skipped with JUSTCODE_SKIP_DOWNLOAD and failures do not fail install
  • no source writes to Claude/Codex/Cursor/MCP control surfaces found
  • no credential harvesting, destructive filesystem logic, or arbitrary remote eval in JS wrapper files
  • prepare only sets local git core.hooksPath and no .githooks files are present in package
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 5.78 KB of source, external domains: github.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High3 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowUrl Strings