AI Security Review
scanned 3h ago · by lpm-firewall-aiThis package is a thin CLI launcher for platform-specific optional dependency binaries. Static inspection of the wrapper source does not show a confirmed malicious attack surface, but execution is delegated to external package-owned binaries not included here.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs the mastercoder CLI command.
Impact
Executes the resolved mastercoder platform binary with user-supplied CLI arguments and inherited stdio.
Mechanism
Platform-specific binary resolution and spawnSync execution
Rationale
The scanner's child_process and runtime install hints map to a normal bin launcher pattern and an error message, with no lifecycle hook, stealth mutation, exfiltration, or remote payload fetch in this package source. Because the wrapper delegates runtime behavior to optional platform packages outside this extracted source, the appropriate verdict for this package source is suspicious rather than malicious.
Evidence
package.jsonbin/mastercoder.mjs
Network endpoints3
mastercoder.aimastercoder.ai/cli/github.com/latemonk/mastercoder-cli.git
Decision evidence
public snapshotAI called this Suspicious at 76.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- bin/mastercoder.mjs uses spawnSync to execute a platform-specific optional dependency binary with inherited stdio.
- package.json declares optional native/binary packages mastercoder-{platform}-{arch}@0.3.50, whose contents are not present in this wrapper package.
Evidence against
- package.json has no preinstall/install/postinstall/prepare lifecycle scripts.
- bin/mastercoder.mjs only runs when the mastercoder CLI bin is invoked; no import-time or install-time execution path is present.
- No credential/env harvesting, file enumeration, destructive commands, persistence, eval/vm/Function, or network request code is present in inspected source.
- The displayed npm install command is only an error/help message, not executed by the package.
Behavioral surface
ChildProcessShell
UrlStrings
Source & flagged code
2 flagged · loading sourcebin/mastercoder.mjsView file
3// optional dependency) and execs it with full stdio passthrough.
L4: import { spawnSync } from "node:child_process"
L5: import { createRequire } from "node:module"
High
Child Process
Package source references child process execution.
bin/mastercoder.mjsView on unpkg · L33// optional dependency) and execs it with full stdio passthrough.
L4: import { spawnSync } from "node:child_process"
L5: import { createRequire } from "node:module"
...
L14: console.error(`MasterCoder: 이 플랫폼(${os.platform()}-${os.arch()})용 실행 파일을 찾지 못했어요.`)
L15: console.error(`해결: npm install -g mastercoder --force · 안내: https://mastercoder.ai/cli/`)
L16: process.exit(1)
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
bin/mastercoder.mjsView on unpkg · L3Findings
3 High1 Low
HighChild Processbin/mastercoder.mjs
HighShell
HighRuntime Package Installbin/mastercoder.mjs
LowUrl Strings