registry  /  mastercoder  /  0.3.0

mastercoder@0.3.0

MasterCoder — 기업용 AI 코딩 에이전트 (terminal CLI). 웹과 같은 회사 계정·정책·청구로 묶입니다.

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious install-time or import-time attack surface is present in this package. The only executable source is a user-invoked CLI shim that delegates to a package-aligned optional platform binary.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs the mastercoder CLI bin.
Impact
Runs the package-aligned platform executable when explicitly invoked; no source evidence of harvesting, exfiltration, persistence, or unconsented agent-control mutation.
Mechanism
CLI wrapper resolving and spawning optional platform binary
Rationale
Static inspection found suspicious packaging signals and a binary launcher, but the launcher is user-invoked, package-aligned, and has no lifecycle hook, network, credential, persistence, or AI-agent control-surface mutation behavior. The runtime package-install scanner hit is a printed help string, not executable behavior.
Evidence
package.jsonbin/mastercoder.mjsREADME.md

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
  • README.md is copied from OpenCode and does not match the mastercoder package branding.
  • bin/mastercoder.mjs user-invoked CLI executes a platform optional dependency binary via spawnSync.
Evidence against
  • package.json has no preinstall/postinstall/prepare lifecycle scripts.
  • bin/mastercoder.mjs only resolves mastercoder-${platform}-${arch}/bin/mastercoder and forwards CLI args/stdio.
  • The scanner's npm install hit is only an error-message remediation string, not an executed install command.
  • No source code reads env vars, credentials, home/project files, or agent control-surface config.
  • No network client code or runtime fetch/curl/wget behavior is present in package source.
  • Package contains only package.json, README.md, and bin/mastercoder.mjs.
Behavioral surface
Source
ChildProcessShell
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 884 B of source, external domains: mastercoder.ai

Source & flagged code

2 flagged · loading source
bin/mastercoder.mjsView file
3// optional dependency) and execs it with full stdio passthrough. L4: import { spawnSync } from "node:child_process" L5: import { createRequire } from "node:module"
High
Child Process

Package source references child process execution.

bin/mastercoder.mjsView on unpkg · L3
3// optional dependency) and execs it with full stdio passthrough. L4: import { spawnSync } from "node:child_process" L5: import { createRequire } from "node:module" ... L14: console.error(`MasterCoder: 이 플랫폼(${os.platform()}-${os.arch()})용 실행 파일을 찾지 못했어요.`) L15: console.error(`해결: npm install -g mastercoder --force · 안내: https://mastercoder.ai/cli/`) L16: process.exit(1)
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/mastercoder.mjsView on unpkg · L3

Findings

3 High1 Low
HighChild Processbin/mastercoder.mjs
HighShell
HighRuntime Package Installbin/mastercoder.mjs
LowUrl Strings