registry  /  mastercoder  /  0.3.1

mastercoder@0.3.1

MasterCoder — 기업용 AI 코딩 에이전트 (terminal CLI). 웹과 같은 회사 계정·정책·청구로 묶입니다.

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface is present in this package's source. The runtime launcher delegates to an optional dependency binary when the user runs the CLI, but this package does not contain install-time execution or persistence logic.

Static reason
One or more suspicious static signals were detected.
Trigger
User invokes the mastercoder CLI bin.
Impact
Executes the package-aligned optional dependency binary with user-provided CLI arguments; no direct exfiltration or filesystem mutation seen in this package.
Mechanism
platform binary launcher via spawnSync
Rationale
Static inspection found a small npm meta-package/launcher with no lifecycle hooks, no credential harvesting, no network code, and no AI-agent control-surface writes. The suspicious primitives are package-aligned CLI delegation and inert documentation, not concrete malicious behavior in this package.
Evidence
package.jsonbin/mastercoder.mjsREADME.mdmastercoder-${platform}-${arch}/bin/mastercoder
Network endpoints3
mastercoder.aigithub.com/latemonk/mastercoder-cli.gitopencode.ai

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for block
  • bin/mastercoder.mjs uses spawnSync to execute a platform-specific optional dependency binary at user runtime.
  • package.json declares optionalDependencies for mastercoder platform packages, whose binary contents are not present in this package.
  • README.md is inconsistent with package branding and documents OpenCode install URLs, but it is inert documentation.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle scripts.
  • bin/mastercoder.mjs only resolves mastercoder-${platform}-${arch}/bin/mastercoder and passes CLI args/stdio through.
  • No source writes files, reads credentials/env secrets, registers agent control surfaces, or performs network requests.
  • The scanner's package-install signal is an error message suggesting npm install, not executed code.
Behavioral surface
Source
ChildProcessShell
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 884 B of source, external domains: mastercoder.ai

Source & flagged code

2 flagged · loading source
bin/mastercoder.mjsView file
3// optional dependency) and execs it with full stdio passthrough. L4: import { spawnSync } from "node:child_process" L5: import { createRequire } from "node:module"
High
Child Process

Package source references child process execution.

bin/mastercoder.mjsView on unpkg · L3
3// optional dependency) and execs it with full stdio passthrough. L4: import { spawnSync } from "node:child_process" L5: import { createRequire } from "node:module" ... L14: console.error(`MasterCoder: 이 플랫폼(${os.platform()}-${os.arch()})용 실행 파일을 찾지 못했어요.`) L15: console.error(`해결: npm install -g mastercoder --force · 안내: https://mastercoder.ai/cli/`) L16: process.exit(1)
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/mastercoder.mjsView on unpkg · L3

Findings

3 High1 Low
HighChild Processbin/mastercoder.mjs
HighShell
HighRuntime Package Installbin/mastercoder.mjs
LowUrl Strings