registry  /  mindexec-ai  /  0.2.762

mindexec-ai@0.2.762

MindExec local runtime and bridge CLI

AI Security Review

scanned 13h ago · by lpm-firewall-ai

The package is a local AI/runtime bridge with powerful user-invoked capabilities, not an install-time hijack. Risk is unresolved dangerous capability exposure through a local web bridge, Codex execution, shell/file APIs, and managed remote-agent launch paths.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs mindexec/mind-bridge or starts server.js, then authorized web/API clients call bridge endpoints.
Impact
A client with bridge token access can modify workspace files, execute shell commands, invoke Codex, or connect managed remote agents; no unconsented install-time mutation was found.
Mechanism
local bridge exposing AI, shell, file, browser, and remote-agent controls
Attack narrative
On install, the only lifecycle action copies tree-sitter grammar WASM files into the package grammar directory if missing. When explicitly launched, the package runs a localhost MindExec bridge with token-protected APIs for workspace file operations, shell jobs, Codex SDK/CLI execution, browser automation, and remote-agent management, including a fallback to npx @mindexec/remote@latest. This is dangerous agent/runtime functionality, but source inspection did not show lifecycle-triggered foreign agent control-surface mutation, stealth persistence, credential harvesting, or exfiltration.
Rationale
The scanner's install-time concern is noisy because postinstall is limited to grammar setup, but the runtime bridge exposes broad AI-agent, shell, file, and remote-control capabilities once the CLI is run. That supports a warn/suspicious verdict rather than publish blocking absent unconsented lifecycle delivery or confirmed malicious exfiltration.
Evidence
package.jsonscripts/setup-tree-sitter-grammars.mjslaunch-bridge.cjsserver.jscodex-runtime.jsremote-hub.jsport-guard.cjstree-sitter-grammars/*.wasm.mindexec/*~/.mindexec-ai/auth/supabase-session.json~/.mindexec/codex-runtime/config.toml~/.mindexec/codex-runtime/auth.json.ai/codex/*.schema.json
Network endpoints12
127.0.0.1:5077www.googleapis.com/youtube/v3openrouter.ai/api/v1/modelsapi.imagerouter.io/v2/modelshtml.duckduckgo.com/html/api.duckduckgo.com/search.brave.com/searchnews.google.com/rss/searchwww.bing.com/searchapi.openai.com/v1mindexec.pages.devmindexecution.pages.dev

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for block
  • server.js exposes token-protected local APIs for file write/delete, shell execution, browser actions, Codex runs, and remote device control.
  • server.js /api/status returns bridgeToken and allows package web origins including mindexec.pages.dev and mindexecution.pages.dev.
  • server.js can launch managed RemoteAgent via bundled remote-fast or fallback npx -y @mindexec/remote@latest after remote-agent connect flows.
  • codex-runtime.js creates ~/.mindexec/codex-runtime, copies ~/.codex/auth.json, and runs Codex SDK/CLI with caller-selected sandbox options.
Evidence against
  • package.json postinstall only runs scripts/setup-tree-sitter-grammars.mjs to copy packaged tree-sitter WASM grammars.
  • No install-time writes to foreign AI agent control files such as .mcp.json, CLAUDE.md, .claude, Cursor, or ~/.codex config.
  • launch-bridge.cjs starts server.js only through explicit CLI/bin use and opens localhost app; it is not import-time execution.
  • server.js validates file operations to workspace/project paths and protects high-risk routes with a bridge token by default.
  • Network endpoints are package-aligned local bridge, model/search APIs, Supabase/app config, and remote-agent manager flows; no credential exfiltration sink was confirmed.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 51 file(s), 4.44 MB of source, external domains: 127.0.0.1, api.duckduckgo.com, api.imagerouter.io, api.openai.com, bulkmd.pages.dev, clipbrd.pages.dev, developers.cloudflare.com, duckduckgo.com, example.com, github.com, html.duckduckgo.com, img.youtube.com, markdown-link-checker.pages.dev, md2html-4r7.pages.dev, mdoutln.pages.dev, mdtable-3ik.pages.dev, mdview-die.pages.dev, mindexec.pages.dev, mindexecution.pages.dev, news.google.com, openrouter.ai, quickpad.pages.dev, reactjs.org, readme-1o4.pages.dev, schema.org, search.brave.com, www.bing.com, www.googleapis.com, www.w3.org, www.youtube.com

Source & flagged code

12 flagged · loading source
package.jsonView file
scripts.postinstall = npm run setup:grammars
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = npm run setup:grammars
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
server.jsView file
18import sharp from 'sharp'; L19: import { createServer } from 'http'; L20: import { WebSocket, WebSocketServer } from 'ws'; ... L28: L29: const execAsync = promisify(exec); L30: const execFileAsync = promisify(execFile); ... L33: const app = express(); L34: const PORT = normalizePort(process.env.BRIDGE_PORT); L35: const BRIDGE_ROOT = path.dirname(fileURLToPath(import.meta.url));
Critical
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution with blocking evidence.

server.jsView on unpkg · L18
Trigger-reachable chain: manifest.main -> server.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

server.jsView on unpkg
12import path from 'path'; L13: import { exec, spawn, spawnSync, execFile } from 'child_process'; L14: import { promisify } from 'util';
High
Child Process

Package source references child process execution.

server.jsView on unpkg · L12
28L29: const execAsync = promisify(exec); L30: const execFileAsync = promisify(execFile);
High
Shell

Package source references shell execution.

server.jsView on unpkg · L28
wwwroot/assets/MindCanvas-DjH_VLkJ.jsView file
813})(); L814: `}function Kb(t){const e=performance.now(),a=[],i={log:(...r)=>a.push(vA(r.map(s=>String(s)).join(" "))),warn:(...r)=>a.push(vA(r.map(s=>String(s)).join(" "))),error:(...r)=>a.push... L815: `));return{ok:!0,output:await Promise.resolve(r(t.input,i)),logs:a,error:"",durationMs:Math.round(performance.now()-e),isolation:"inline-test-fallback"}}).catch(r=>({ok:!1,output:n...
High
Eval

Package source references dynamic code evaluation.

wwwroot/assets/MindCanvas-DjH_VLkJ.jsView on unpkg · L813
wwwroot/assets/supabaseAuthAdapter-D57zJK6k.jsView file
43${b}`}class C extends Error{constructor({message:e,code:r,cause:s,name:n}){var i;super(e,{cause:s}),this.__isWebAuthnError=!0,this.name=(i=n??(s instanceof Error?s.name:void 0))!==... L44: `);const A=await E.signMessage(new TextEncoder().encode(p),"utf8");if(!A||!(A instanceof Uint8Array))throw new Error("@supabase/auth-js: Wallet signMessage() API returned an recogn...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

wwwroot/assets/supabaseAuthAdapter-D57zJK6k.jsView on unpkg · L43
scripts/remote-fast-mdm-browser-smoke.mjsView file
3Detached bundled service listener: scripts/remote-fast-mdm-browser-smoke.mjs spawns server.js; helper exposes a broad-bound HTTP listener. L3: import assert from 'node:assert/strict'; L4: import { spawn } from 'node:child_process'; L5: import { mkdtemp, rm } from 'node:fs/promises'; L6: import net from 'node:net'; L7: import os from 'node:os'; ... L14: const LOCAL_BRIDGE_DIR = path.resolve(path.dirname(fileURLToPath(import.meta.url)), '..'); L15: const REQUESTED_FPS = Number(process.env.MINDEXEC_REMOTE_MDM_BROWSER_REQUEST_FPS || 12); L16: const SAMPLE_MS = Number(process.env.MINDEXEC_REMOTE_MDM_BROWSER_SAMPLE_MS || 1500); ... L47: L48: const payload = await response.json().catch(() => null); L49: return { status: response.status, ok: response.ok, payload }; ... L90:
High
Spawned Bundled Service Listener

Source launches a detached bundled service that exposes a broad-bound HTTP listener.

scripts/remote-fast-mdm-browser-smoke.mjsView on unpkg · L3
remote-fast/osx-x64/mindexec-remote-fastView file
path = remote-fast/osx-x64/mindexec-remote-fast kind = native_binary sizeBytes = 83704 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

remote-fast/osx-x64/mindexec-remote-fastView on unpkg
tree-sitter-grammars/tree-sitter-go.wasmView file
path = tree-sitter-grammars/tree-sitter-go.wasm kind = wasm_module sizeBytes = 235957 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

tree-sitter-grammars/tree-sitter-go.wasmView on unpkg
start-bridge.batView file
path = start-bridge.bat kind = build_helper sizeBytes = 558 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

start-bridge.batView on unpkg

Findings

2 Critical5 High8 Medium5 Low
CriticalSame File Env Network Executionserver.js
CriticalTrigger Reachable Dangerous Capabilityserver.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processserver.js
HighShellserver.js
HighEvalwwwroot/assets/MindCanvas-DjH_VLkJ.js
HighSpawned Bundled Service Listenerscripts/remote-fast-mdm-browser-smoke.mjs
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirewwwroot/assets/supabaseAuthAdapter-D57zJK6k.js
MediumNetwork
MediumEnvironment Vars
MediumShips Native Binaryremote-fast/osx-x64/mindexec-remote-fast
MediumShips Wasm Moduletree-sitter-grammars/tree-sitter-go.wasm
MediumShips Build Helperstart-bridge.bat
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings