AI Security Review
scanned 3d ago · by lpm-firewall-aiNo confirmed malicious attack surface is present in this package's source. The runtime launcher delegates to an optional dependency binary when the user runs the CLI, but this package does not contain install-time execution or persistence logic.
Static reason
One or more suspicious static signals were detected.
Trigger
User invokes the mastercoder CLI bin.
Impact
Executes the package-aligned optional dependency binary with user-provided CLI arguments; no direct exfiltration or filesystem mutation seen in this package.
Mechanism
platform binary launcher via spawnSync
Rationale
Static inspection found a small npm meta-package/launcher with no lifecycle hooks, no credential harvesting, no network code, and no AI-agent control-surface writes. The suspicious primitives are package-aligned CLI delegation and inert documentation, not concrete malicious behavior in this package.
Evidence
package.jsonbin/mastercoder.mjsREADME.mdmastercoder-${platform}-${arch}/bin/mastercoder
Network endpoints3
mastercoder.aigithub.com/latemonk/mastercoder-cli.gitopencode.ai
Decision evidence
public snapshotAI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for block
- bin/mastercoder.mjs uses spawnSync to execute a platform-specific optional dependency binary at user runtime.
- package.json declares optionalDependencies for mastercoder platform packages, whose binary contents are not present in this package.
- README.md is inconsistent with package branding and documents OpenCode install URLs, but it is inert documentation.
Evidence against
- package.json has no preinstall/install/postinstall lifecycle scripts.
- bin/mastercoder.mjs only resolves mastercoder-${platform}-${arch}/bin/mastercoder and passes CLI args/stdio through.
- No source writes files, reads credentials/env secrets, registers agent control surfaces, or performs network requests.
- The scanner's package-install signal is an error message suggesting npm install, not executed code.
Behavioral surface
ChildProcessShell
UrlStrings
Source & flagged code
2 flagged · loading sourcebin/mastercoder.mjsView file
3// optional dependency) and execs it with full stdio passthrough.
L4: import { spawnSync } from "node:child_process"
L5: import { createRequire } from "node:module"
High
Child Process
Package source references child process execution.
bin/mastercoder.mjsView on unpkg · L33// optional dependency) and execs it with full stdio passthrough.
L4: import { spawnSync } from "node:child_process"
L5: import { createRequire } from "node:module"
...
L14: console.error(`MasterCoder: 이 플랫폼(${os.platform()}-${os.arch()})용 실행 파일을 찾지 못했어요.`)
L15: console.error(`해결: npm install -g mastercoder --force · 안내: https://mastercoder.ai/cli/`)
L16: process.exit(1)
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
bin/mastercoder.mjsView on unpkg · L3Findings
3 High1 Low
HighChild Processbin/mastercoder.mjs
HighShell
HighRuntime Package Installbin/mastercoder.mjs
LowUrl Strings