registry  /  mastercoder  /  0.3.50

mastercoder@0.3.50

MasterCoder — 기업용 AI 코딩 에이전트 (terminal CLI). 웹과 같은 회사 계정·정책·청구로 묶입니다.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

This package is a thin CLI launcher for platform-specific optional dependency binaries. Static inspection of the wrapper source does not show a confirmed malicious attack surface, but execution is delegated to external package-owned binaries not included here.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs the mastercoder CLI command.
Impact
Executes the resolved mastercoder platform binary with user-supplied CLI arguments and inherited stdio.
Mechanism
Platform-specific binary resolution and spawnSync execution
Rationale
The scanner's child_process and runtime install hints map to a normal bin launcher pattern and an error message, with no lifecycle hook, stealth mutation, exfiltration, or remote payload fetch in this package source. Because the wrapper delegates runtime behavior to optional platform packages outside this extracted source, the appropriate verdict for this package source is suspicious rather than malicious.
Evidence
package.jsonbin/mastercoder.mjs
Network endpoints3
mastercoder.aimastercoder.ai/cli/github.com/latemonk/mastercoder-cli.git

Decision evidence

public snapshot
AI called this Suspicious at 76.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • bin/mastercoder.mjs uses spawnSync to execute a platform-specific optional dependency binary with inherited stdio.
  • package.json declares optional native/binary packages mastercoder-{platform}-{arch}@0.3.50, whose contents are not present in this wrapper package.
Evidence against
  • package.json has no preinstall/install/postinstall/prepare lifecycle scripts.
  • bin/mastercoder.mjs only runs when the mastercoder CLI bin is invoked; no import-time or install-time execution path is present.
  • No credential/env harvesting, file enumeration, destructive commands, persistence, eval/vm/Function, or network request code is present in inspected source.
  • The displayed npm install command is only an error/help message, not executed by the package.
Behavioral surface
Source
ChildProcessShell
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 884 B of source, external domains: mastercoder.ai

Source & flagged code

2 flagged · loading source
bin/mastercoder.mjsView file
3// optional dependency) and execs it with full stdio passthrough. L4: import { spawnSync } from "node:child_process" L5: import { createRequire } from "node:module"
High
Child Process

Package source references child process execution.

bin/mastercoder.mjsView on unpkg · L3
3// optional dependency) and execs it with full stdio passthrough. L4: import { spawnSync } from "node:child_process" L5: import { createRequire } from "node:module" ... L14: console.error(`MasterCoder: 이 플랫폼(${os.platform()}-${os.arch()})용 실행 파일을 찾지 못했어요.`) L15: console.error(`해결: npm install -g mastercoder --force · 안내: https://mastercoder.ai/cli/`) L16: process.exit(1)
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/mastercoder.mjsView on unpkg · L3

Findings

3 High1 Low
HighChild Processbin/mastercoder.mjs
HighShell
HighRuntime Package Installbin/mastercoder.mjs
LowUrl Strings