registry  /  mindexec-ai  /  0.2.1142

mindexec-ai@0.2.1142

MindExec local runtime and bridge CLI

AI Security Review

scanned 2h ago · by lpm-firewall-ai

A user-started local bridge provides token-protected file, shell, Codex, browser, and remote-agent controls. Its postinstall action is limited to package-local grammar-file setup.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs the CLI/server, then invokes its local API with the bridge token; postinstall runs during npm installation.
Impact
Authorized local callers can execute shell commands, alter workspace files, and launch a remote agent; this is a substantial dual-use capability, not a confirmed covert attack.
Mechanism
Local privileged automation bridge with optional remote-agent and Codex execution.
Rationale
The package is not malicious by the inspected source, but it intentionally ships a high-impact local automation and remote-agent capability. Warn so consumers can assess the privileged runtime surface.
Evidence
package.jsonscripts/setup-tree-sitter-grammars.mjslaunch-bridge.cjsserver.jscodex-runtime.jsport-guard.cjstree-sitter-grammars/remote-fast/
Network endpoints1
api.openai.com/v1

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `server.js` exposes authenticated local shell execution and workspace file mutation APIs.
  • `server.js` can launch a managed remote agent, with an `npx -y @mindexec/remote@latest` fallback.
  • `server.js` launches bundled native `remote-fast` binaries after a version preflight.
  • `codex-runtime.js` creates an isolated Codex runtime and runs Codex with user-selected task intent.
Evidence against
  • `package.json` postinstall only runs `scripts/setup-tree-sitter-grammars.mjs`.
  • The postinstall script only copies listed WASM grammars into this package's `tree-sitter-grammars/` directory.
  • `server.js` binds its HTTP server to `127.0.0.1` and protects sensitive routes with a bridge token by default.
  • No source evidence of install-time network access, credential exfiltration, foreign AI-agent config mutation, or stealth persistence.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 72 file(s), 6.00 MB of source, external domains: 127.0.0.1, api.duckduckgo.com, api.imagerouter.io, api.openai.com, bulkmd.pages.dev, clipbrd.pages.dev, developers.cloudflare.com, duckduckgo.com, example.com, github.com, html.duckduckgo.com, img.youtube.com, markdown-link-checker.pages.dev, mcp.example.test, md2html-4r7.pages.dev, mdoutln.pages.dev, mdtable-3ik.pages.dev, mdview-die.pages.dev, mindexec.pages.dev, mindexecution.pages.dev, news.google.com, openrouter.ai, quickpad.pages.dev, reactjs.org, readme-1o4.pages.dev, schema.org, search.brave.com, www.bing.com, www.googleapis.com, www.w3.org, www.youtube.com

Source & flagged code

13 flagged · loading source
package.jsonView file
scripts.postinstall = npm run setup:grammars
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = npm run setup:grammars
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
server.jsView file
12import path from 'path'; L13: import { exec, spawn, spawnSync, execFile } from 'child_process'; L14: import { promisify } from 'util';
High
Child Process

Package source references child process execution.

server.jsView on unpkg · L12
39L40: const execAsync = promisify(exec); L41: const execFileAsync = promisify(execFile);
High
Shell

Package source references shell execution.

server.jsView on unpkg · L39
wwwroot/assets/canvas-ai-task-core-B5U_gm4u.jsView file
1478})(); L1479: `}function Bo(t){const i=performance.now(),e=[],r={log:(...a)=>e.push(kr(a.map(u=>String(u)).join(" "))),warn:(...a)=>e.push(kr(a.map(u=>String(u)).join(" "))),error:(...a)=>e.push... L1480: `));return{ok:!0,output:await Promise.resolve(a(t.input,r)),logs:e,error:"",durationMs:Math.round(performance.now()-i),isolation:"inline-test-fallback"}}).catch(a=>({ok:!1,output:n...
Low
Eval

Package source references a known benign dynamic code generation pattern.

wwwroot/assets/canvas-ai-task-core-B5U_gm4u.jsView on unpkg · L1478
wwwroot/assets/supabaseAuthAdapter-Du9oY-mZ.jsView file
43${b}`}class C extends Error{constructor({message:e,code:r,cause:s,name:n}){var i;super(e,{cause:s}),this.__isWebAuthnError=!0,this.name=(i=n??(s instanceof Error?s.name:void 0))!==... L44: `);const A=await E.signMessage(new TextEncoder().encode(p),"utf8");if(!A||!(A instanceof Uint8Array))throw new Error("@supabase/auth-js: Wallet signMessage() API returned an recogn...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

wwwroot/assets/supabaseAuthAdapter-Du9oY-mZ.jsView on unpkg · L43
ai-task-js-sandbox.jsView file
85content: typeof content === 'string' ? content : JSON.stringify(content ?? null, null, 2), L86: metadata: metadata && typeof metadata === 'object' ? metadata : {}, L87: reusable: true ... L254: remoteWorkerHarvest(label, options = {}) { return makeAction('remote-worker-harvest', label, { ...normalizeActionOptions(options), adapterCapabilityId: 'remote-worker-harvest' }, f... L255: webFetch(label, target, options = {}) { return makeAction('web-fetch', label, { ...normalizeActionOptions(options), url: target, target, adapterCapabilityId: 'web-fetch' }, false);... L256: fileRead(label, target, options = {}) { return makeAction('file-read', label, { ...normalizeActionOptions(options), filePath: target, target, adapterCapabilityId: 'file-read' }, fa... ... L300: if (serialized.length > MAX_OUTPUT_CHARS) throw new Error(`Script output exceeded ${MAX_OUTPUT_CHARS} characters.`); L301: return JSON.parse(serialized); L302: } ... L372: workerData: { kind: WORKER_KIND, code, input: options?.input ?? null, timeoutMs }, L373: execArgv: process.execArgv.filter(argument => !String(argument).startsWith('--input-type')), L374: resourceLimits: { maxOldGenerationSizeMb: 32, maxYoungGenerationSiz
Medium
Unsafe Vm Context

Package source executes code through a VM context API.

ai-task-js-sandbox.jsView on unpkg · L85
remote-hub.jsView file
1import net from 'net'; L2: import os from 'os'; ... L9: const MAX_LINE_CHARS = 4 * 1024 * 1024; L10: const MAX_THUMBNAIL_BASE64_CHARS = 3 * 1024 * 1024; L11: const MAX_STREAM_BASE64_CHARS = 3 * 1024 * 1024; ... L25: const DEFAULT_HOST_TARGET_LEASE_MS = 30000; L26: const SYNTHETIC_FRAME_DATA_URL = 'data:image/png;base64,[redacted]'; L27: const SYNTHETIC_FRAME_PAYLOAD = Buffer.from(SYNTHETIC_FRAME_DATA_URL.split(',')[1], 'base64'); ... L74: L75: function isPrivateIPv4(value) { L76: const parts = String(value || '').split('.').map(part => Number(part)); ... L149: const candidates = [];
Low
Weak Crypto

Package source references weak cryptographic algorithms.

remote-hub.jsView on unpkg · L1
scripts/remote-fast-mdm-browser-smoke.mjsView file
3import assert from 'node:assert/strict'; L4: import { spawn } from 'node:child_process'; L5: import { mkdtemp, rm } from 'node:fs/promises'; L6: import net from 'node:net'; L7: import os from 'node:os'; ... L14: const LOCAL_BRIDGE_DIR = path.resolve(path.dirname(fileURLToPath(import.meta.url)), '..'); L15: const REQUESTED_FPS = Number(process.env.MINDEXEC_REMOTE_MDM_BROWSER_REQUEST_FPS || 12); L16: const SAMPLE_MS = Number(process.env.MINDEXEC_REMOTE_MDM_BROWSER_SAMPLE_MS || 1500);
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

scripts/remote-fast-mdm-browser-smoke.mjsView on unpkg · L3
3Detached bundled service listener: scripts/remote-fast-mdm-browser-smoke.mjs spawns server.js; helper exposes a broad-bound HTTP listener. L3: import assert from 'node:assert/strict'; L4: import { spawn } from 'node:child_process'; L5: import { mkdtemp, rm } from 'node:fs/promises'; L6: import net from 'node:net'; L7: import os from 'node:os'; ... L14: const LOCAL_BRIDGE_DIR = path.resolve(path.dirname(fileURLToPath(import.meta.url)), '..'); L15: const REQUESTED_FPS = Number(process.env.MINDEXEC_REMOTE_MDM_BROWSER_REQUEST_FPS || 12); L16: const SAMPLE_MS = Number(process.env.MINDEXEC_REMOTE_MDM_BROWSER_SAMPLE_MS || 1500); ... L47: L48: const payload = await response.json().catch(() => null); L49: return { status: response.status, ok: response.ok, payload }; ... L90:
High
Spawned Bundled Service Listener

Source launches a detached bundled service that exposes a broad-bound HTTP listener.

scripts/remote-fast-mdm-browser-smoke.mjsView on unpkg · L3
remote-fast/osx-x64/mindexec-remote-fastView file
path = remote-fast/osx-x64/mindexec-remote-fast kind = native_binary sizeBytes = 83704 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

remote-fast/osx-x64/mindexec-remote-fastView on unpkg
tree-sitter-grammars/tree-sitter-go.wasmView file
path = tree-sitter-grammars/tree-sitter-go.wasm kind = wasm_module sizeBytes = 235957 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

tree-sitter-grammars/tree-sitter-go.wasmView on unpkg
start-bridge.batView file
path = start-bridge.bat kind = build_helper sizeBytes = 558 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

start-bridge.batView on unpkg

Findings

5 High9 Medium7 Low
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processserver.js
HighShellserver.js
HighSame File Env Network Executionscripts/remote-fast-mdm-browser-smoke.mjs
HighSpawned Bundled Service Listenerscripts/remote-fast-mdm-browser-smoke.mjs
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirewwwroot/assets/supabaseAuthAdapter-Du9oY-mZ.js
MediumUnsafe Vm Contextai-task-js-sandbox.js
MediumNetwork
MediumEnvironment Vars
MediumShips Native Binaryremote-fast/osx-x64/mindexec-remote-fast
MediumShips Wasm Moduletree-sitter-grammars/tree-sitter-go.wasm
MediumShips Build Helperstart-bridge.bat
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvalwwwroot/assets/canvas-ai-task-core-B5U_gm4u.js
LowWeak Cryptoremote-hub.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings