registry  /  mastercoder  /  0.3.38

mastercoder@0.3.38

MasterCoder — 기업용 AI 코딩 에이전트 (terminal CLI). 웹과 같은 회사 계정·정책·청구로 묶입니다.

AI Security Review

scanned 2d ago · by lpm-firewall-ai

No confirmed malicious attack surface is established in this package source. The bin entry is a user-invoked launcher for a package-aligned optional native/platform binary, with no install-time behavior in this tarball.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs the mastercoder CLI bin.
Impact
Executes the resolved package-aligned binary with inherited stdio; no source evidence of exfiltration, persistence, or unconsented agent-surface mutation in this package.
Mechanism
platform-specific optional dependency binary launcher
Rationale
Static inspection shows a small CLI shim with no lifecycle hooks and no malicious primitives beyond user-invoked execution of a package-aligned optional dependency. The copied README is suspicious packaging quality but not evidence of concrete attack behavior in this package version.
Evidence
package.jsonbin/mastercoder.mjsREADME.md

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for block
  • bin/mastercoder.mjs uses child_process.spawnSync to execute a platform optional dependency binary on CLI invocation.
  • README.md appears copied from OpenCode and does not match the mastercoder package branding.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle scripts.
  • Published package contains only package.json, README.md, and bin/mastercoder.mjs.
  • bin/mastercoder.mjs only require.resolve's mastercoder-${platform}-${arch}/bin/mastercoder and passes user args/stdio through.
  • No credential/env harvesting, file writes, persistence, network code, eval/vm, or AI-agent control-surface mutation found in package source.
  • The apparent npm install command is only an error-message suggestion, not executed by the code.
Behavioral surface
Source
ChildProcessShell
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 884 B of source, external domains: mastercoder.ai

Source & flagged code

2 flagged · loading source
bin/mastercoder.mjsView file
3// optional dependency) and execs it with full stdio passthrough. L4: import { spawnSync } from "node:child_process" L5: import { createRequire } from "node:module"
High
Child Process

Package source references child process execution.

bin/mastercoder.mjsView on unpkg · L3
3// optional dependency) and execs it with full stdio passthrough. L4: import { spawnSync } from "node:child_process" L5: import { createRequire } from "node:module" ... L14: console.error(`MasterCoder: 이 플랫폼(${os.platform()}-${os.arch()})용 실행 파일을 찾지 못했어요.`) L15: console.error(`해결: npm install -g mastercoder --force · 안내: https://mastercoder.ai/cli/`) L16: process.exit(1)
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/mastercoder.mjsView on unpkg · L3

Findings

3 High1 Low
HighChild Processbin/mastercoder.mjs
HighShell
HighRuntime Package Installbin/mastercoder.mjs
LowUrl Strings