registry  /  mindexec-ai  /  0.2.962

mindexec-ai@0.2.962

MindExec local runtime and bridge CLI

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack chain was found, but the package intentionally ships a local AI bridge with guarded shell, file, Codex, browser, and remote-agent capabilities. Risk is from explicit runtime use or local token exposure, not from install-time compromise.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs mindexec, mind-bridge, npm start, or starts server.js and then calls local bridge APIs.
Impact
Runtime bridge can execute commands, mutate workspace files, copy Codex auth into an isolated runtime home, and connect managed remote agents when invoked.
Mechanism
local authenticated bridge with shell/file/Codex/remote-agent execution
Rationale
Source inspection supports a warn-level agent/runtime lifecycle risk rather than malicious blocking: high-power capabilities are explicit and runtime-gated, while postinstall is limited to grammar file setup. No concrete malicious install-time behavior, credential exfiltration, persistence, or remote payload execution chain was confirmed.
Evidence
package.jsonscripts/setup-tree-sitter-grammars.mjslaunch-bridge.cjsport-guard.cjsserver.jscodex-runtime.jswwwroot/appsettings.jsontree-sitter-grammars/tree-sitter-javascript.wasmtree-sitter-grammars/tree-sitter-typescript.wasmtree-sitter-grammars/tree-sitter-tsx.wasmtree-sitter-grammars/tree-sitter-c_sharp.wasmtree-sitter-grammars/tree-sitter-python.wasmtree-sitter-grammars/tree-sitter-java.wasmtree-sitter-grammars/tree-sitter-go.wasmtree-sitter-grammars/tree-sitter-rust.wasmremote-fast/osx-x64/mindexec-remote-fastremote-fast/osx-arm64/mindexec-remote-fastremote-fast/win-x64/mindexec-remote-fast.exe
Network endpoints11
127.0.0.1:5077openrouter.ai/api/v1/modelsapi.imagerouter.io/v2/modelswww.googleapis.com/youtube/v3html.duckduckgo.com/html/api.duckduckgo.com/search.brave.com/searchotbyfkjxrkngvjziawki.supabase.cor2-auth-proxy.lovecrdm.workers.devweb-capture-worker.lovecrdm.workers.dev/capturemindexec.pages.dev/pricing

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • server.js exposes protected local APIs for shell execution, file writes/deletes, browser actions, Codex runs, and remote agent control.
  • /api/status returns bridgeToken; protected routes then accept that token via X-Bridge-Token or Bearer.
  • codex-runtime.js creates an isolated Codex home, copies ~/.codex/auth.json if present, and writes config.toml for runs.
  • server.js can launch bundled remote-fast binaries or npx -y @mindexec/remote@latest for managed RemoteAgent connections.
Evidence against
  • package.json postinstall only runs scripts/setup-tree-sitter-grammars.mjs, which copies missing tree-sitter wasm files into tree-sitter-grammars.
  • server.js binds HTTP server to 127.0.0.1, not a public interface.
  • File operations are constrained through validatePath/resolveReadablePath to workspace or active project roots.
  • Network endpoints are product-aligned model/auth/search/remote services; no credential exfiltration sink was found.
  • No install-time mutation of foreign AI-agent control surfaces was found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 60 file(s), 5.14 MB of source, external domains: 127.0.0.1, api.duckduckgo.com, api.imagerouter.io, api.openai.com, bulkmd.pages.dev, clipbrd.pages.dev, developers.cloudflare.com, duckduckgo.com, example.com, github.com, html.duckduckgo.com, img.youtube.com, markdown-link-checker.pages.dev, mcp.example.test, md2html-4r7.pages.dev, mdoutln.pages.dev, mdtable-3ik.pages.dev, mdview-die.pages.dev, mindexec.pages.dev, mindexecution.pages.dev, news.google.com, openrouter.ai, quickpad.pages.dev, reactjs.org, readme-1o4.pages.dev, schema.org, search.brave.com, www.bing.com, www.googleapis.com, www.w3.org, www.youtube.com

Source & flagged code

12 flagged · loading source
package.jsonView file
scripts.postinstall = npm run setup:grammars
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = npm run setup:grammars
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
server.jsView file
18import sharp from 'sharp'; L19: import { createServer } from 'http'; L20: import { WebSocket, WebSocketServer } from 'ws'; ... L28: L29: const execAsync = promisify(exec); L30: const execFileAsync = promisify(execFile); ... L33: const app = express(); L34: const PORT = normalizePort(process.env.BRIDGE_PORT); L35: const BRIDGE_ROOT = path.dirname(fileURLToPath(import.meta.url));
Critical
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution with blocking evidence.

server.jsView on unpkg · L18
Trigger-reachable chain: manifest.main -> server.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

server.jsView on unpkg
12import path from 'path'; L13: import { exec, spawn, spawnSync, execFile } from 'child_process'; L14: import { promisify } from 'util';
High
Child Process

Package source references child process execution.

server.jsView on unpkg · L12
28L29: const execAsync = promisify(exec); L30: const execFileAsync = promisify(execFile);
High
Shell

Package source references shell execution.

server.jsView on unpkg · L28
wwwroot/assets/canvas-ai-task-core-ekSGbHyt.jsView file
1221})(); L1222: `}function vi(t){const r=performance.now(),e=[],n={log:(...a)=>e.push(La(a.map(u=>String(u)).join(" "))),warn:(...a)=>e.push(La(a.map(u=>String(u)).join(" "))),error:(...a)=>e.push... L1223: `));return{ok:!0,output:await Promise.resolve(a(t.input,n)),logs:e,error:"",durationMs:Math.round(performance.now()-r),isolation:"inline-test-fallback"}}).catch(a=>({ok:!1,output:n...
High
Eval

Package source references dynamic code evaluation.

wwwroot/assets/canvas-ai-task-core-ekSGbHyt.jsView on unpkg · L1221
wwwroot/assets/supabaseAuthAdapter-By7glRIM.jsView file
43${b}`}class C extends Error{constructor({message:e,code:r,cause:s,name:n}){var i;super(e,{cause:s}),this.__isWebAuthnError=!0,this.name=(i=n??(s instanceof Error?s.name:void 0))!==... L44: `);const A=await E.signMessage(new TextEncoder().encode(p),"utf8");if(!A||!(A instanceof Uint8Array))throw new Error("@supabase/auth-js: Wallet signMessage() API returned an recogn...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

wwwroot/assets/supabaseAuthAdapter-By7glRIM.jsView on unpkg · L43
scripts/remote-fast-mdm-browser-smoke.mjsView file
3Detached bundled service listener: scripts/remote-fast-mdm-browser-smoke.mjs spawns server.js; helper exposes a broad-bound HTTP listener. L3: import assert from 'node:assert/strict'; L4: import { spawn } from 'node:child_process'; L5: import { mkdtemp, rm } from 'node:fs/promises'; L6: import net from 'node:net'; L7: import os from 'node:os'; ... L14: const LOCAL_BRIDGE_DIR = path.resolve(path.dirname(fileURLToPath(import.meta.url)), '..'); L15: const REQUESTED_FPS = Number(process.env.MINDEXEC_REMOTE_MDM_BROWSER_REQUEST_FPS || 12); L16: const SAMPLE_MS = Number(process.env.MINDEXEC_REMOTE_MDM_BROWSER_SAMPLE_MS || 1500); ... L47: L48: const payload = await response.json().catch(() => null); L49: return { status: response.status, ok: response.ok, payload }; ... L90:
High
Spawned Bundled Service Listener

Source launches a detached bundled service that exposes a broad-bound HTTP listener.

scripts/remote-fast-mdm-browser-smoke.mjsView on unpkg · L3
remote-fast/osx-x64/mindexec-remote-fastView file
path = remote-fast/osx-x64/mindexec-remote-fast kind = native_binary sizeBytes = 83704 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

remote-fast/osx-x64/mindexec-remote-fastView on unpkg
tree-sitter-grammars/tree-sitter-go.wasmView file
path = tree-sitter-grammars/tree-sitter-go.wasm kind = wasm_module sizeBytes = 235957 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

tree-sitter-grammars/tree-sitter-go.wasmView on unpkg
start-bridge.batView file
path = start-bridge.bat kind = build_helper sizeBytes = 558 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

start-bridge.batView on unpkg

Findings

2 Critical5 High8 Medium5 Low
CriticalSame File Env Network Executionserver.js
CriticalTrigger Reachable Dangerous Capabilityserver.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processserver.js
HighShellserver.js
HighEvalwwwroot/assets/canvas-ai-task-core-ekSGbHyt.js
HighSpawned Bundled Service Listenerscripts/remote-fast-mdm-browser-smoke.mjs
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirewwwroot/assets/supabaseAuthAdapter-By7glRIM.js
MediumNetwork
MediumEnvironment Vars
MediumShips Native Binaryremote-fast/osx-x64/mindexec-remote-fast
MediumShips Wasm Moduletree-sitter-grammars/tree-sitter-go.wasm
MediumShips Build Helperstart-bridge.bat
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings