registry  /  mixdog  /  0.9.15

mixdog@0.9.15

Standalone mixdog coding-agent CLI/TUI workspace.

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established by source inspection. Network, shell, MCP, plugin, and native runtime behavior appears tied to an explicitly invoked coding-agent CLI and package-owned .mixdog data paths.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User runs the mixdog CLI or opts into runtime/plugin/channel features.
Impact
No install-time execution, credential harvesting, exfiltration, persistence, or unconsented foreign AI-agent control-surface mutation found.
Mechanism
User-invoked coding-agent functionality with verified package runtime downloads.
Rationale
The scanner findings map to expected agent CLI behavior: provider/network access, shell tools, local MCP/plugin support, and verified native runtime downloads. With no lifecycle hook, no unconsented writes to foreign agent surfaces, and no concrete exfiltration or persistence path, this should be marked clean.
Evidence
package.jsonsrc/cli.mjssrc/app.mjssrc/runtime/memory/lib/runtime-fetcher.mjssrc/runtime/memory/data/runtime-manifest.jsonsrc/runtime/channels/data/voice-runtime-manifest.jsonsrc/runtime/agent/orchestrator/context/collect.mjssrc/session-runtime/plugin-mcp.mjssrc/standalone/plugin-admin.mjs

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no npm install/preinstall/postinstall hooks; only bin mixdog -> src/cli.mjs.
    • src/app.mjs only starts help/plain/headless/TUI paths after explicit CLI invocation.
    • src/runtime/memory/lib/runtime-fetcher.mjs downloads package-aligned runtime assets from bundled manifests and verifies SHA-256 before extraction.
    • src/runtime/channels/data/voice-runtime-manifest.json lists voice binaries/models with pinned SHA-256 values.
    • src/runtime/agent/orchestrator/context/collect.mjs comments and code use .mixdog-owned skill paths, not .claude.
    • src/session-runtime/plugin-mcp.mjs only reads project .mcp.json and strips self-ref servers; no lifecycle mutation of foreign agent config found.
    Behavioral surface
    Source
    ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 650 file(s), 7.98 MB of source, external domains: 127.0.0.1, aistudio.google.com, api.anthropic.com, api.deepseek.com, api.openai.com, api.telegram.org, api.x.ai, auth.openai.com, auth.x.ai, changed.example, chatgpt.com, claude.com, cli-chat-proxy.grok.com, console.anthropic.com, console.x.ai, example.com, generativelanguage.googleapis.com, github.com, management-api.x.ai, models.dev, opencode.ai, platform.claude.com, platform.deepseek.com, platform.openai.com, raw.githubusercontent.com, registry.npmjs.org

    Source & flagged code

    12 flagged · loading source
    scripts/compact-smoke.mjsView file
    388patternName = generic_password severity = medium line = 388 matchedText = { id: 'c...} },
    Medium
    Secret Pattern

    Package contains a possible secret pattern.

    scripts/compact-smoke.mjsView on unpkg · L388
    scripts/smoke-loop.mjsView file
    2import { appendFileSync, mkdirSync } from 'node:fs'; L3: import { spawnSync } from 'node:child_process'; L4: import { dirname, isAbsolute, resolve } from 'node:path';
    High
    Child Process

    Package source references child process execution.

    scripts/smoke-loop.mjsView on unpkg · L2
    scripts/bench-run.mjsView file
    208const { raw, ok } = await new Promise((resolveRun) => { L209: const child = spawn('codex', args, { shell: true, env: { ...process.env, ...(opts.env || {}) } }); L210: let out = '';
    High
    Shell

    Package source references shell execution.

    scripts/bench-run.mjsView on unpkg · L208
    scripts/ingest-pure-conversation-smoke.mjsView file
    12// require it directly to mirror the pipeline without booting the MCP server. L13: const require = createRequire(import.meta.url) L14: const { cleanMemoryText } = require('../src/lib/text-utils.cjs')
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    scripts/ingest-pure-conversation-smoke.mjsView on unpkg · L12
    src/standalone/plugin-admin.mjsView file
    1import { spawnSync } from 'node:child_process'; L2: import { ... L37: function readJsonSafe(path) { L38: try { return JSON.parse(readFileSync(path, 'utf8')); } catch { return null; } L39: } ... L93: type: 'git', L94: url: `https://github.com/${source}.git`, L95: displaySource: source, ... L104: } L105: const localPath = source.replace(/^~(?=$|[\\/])/, homedir()); L106: const resolved = resolve(localPath); ... L120: if (result.status !== 0) {
    Low
    Weak Crypto

    Package source references weak cryptographic algorithms.

    src/standalone/plugin-admin.mjsView on unpkg · L1
    src/runtime/agent/orchestrator/tools/shell-snapshot.mjsView file
    13L14: import { spawn } from 'node:child_process'; L15: import { existsSync, mkdirSync, statSync, readFileSync, unlinkSync } from 'node:fs'; ... L86: const lower = shellPath.toLowerCase(); L87: if (lower.includes('zsh')) return join(homedir(), '.zshrc'); L88: if (lower.includes('bash')) return join(homedir(), '.bashrc'); ... L154: const script = getSnapshotScript(shellPath, snapshotPath, configFileExists); L155: let stderrBuf = ''; L156: // Mirror reference implementation (bash/ShellSnapshot.ts:458): ... L169: // even when the snapshot itself is fine). L170: // R11: scrub loader/execution vars from process.env before L171: // handing it to the snapshot shell. This site previously passed
    Medium
    Install Persistence

    Source writes installer persistence such as shell profile or service configuration.

    src/runtime/agent/orchestrator/tools/shell-snapshot.mjsView on unpkg · L13
    src/runtime/channels/lib/whisper-server.mjsView file
    35L36: import net from 'node:net'; L37: import path from 'node:path'; L38: import fs from 'node:fs'; L39: import { spawn, spawnSync } from 'node:child_process'; L40: import { setTimeout as delay } from 'node:timers/promises'; ... L46: const FIXED_PORT = (() => { L47: const raw = process.env.MIXDOG_WHISPER_SERVER_PORT; L48: const n = raw ? Number.parseInt(raw, 10) : NaN;
    High
    Same File Env Network Execution

    A single source file combines environment access, network access, and code or shell execution; review context before blocking.

    src/runtime/channels/lib/whisper-server.mjsView on unpkg · L35
    src/runtime/memory/lib/runtime-fetcher.mjsView file
    1const __mixdogMemoryStderrWrite = process.stderr.write.bind(process.stderr); L2: function __mixdogMemoryLog(...args) { L3: if (process.env.MIXDOG_QUIET_MEMORY_LOG) return true; L4: return __mixdogMemoryStderrWrite(...args); ... L30: import { pipeline } from 'stream/promises' L31: import { spawnSync } from 'child_process' L32: import { renameWithRetrySync, writeFileAtomicSync, writeJsonAtomicSync } from '../../shared/atomic-file.mjs' ... L38: // GitHub raw URL fallback — used only when no cached or bundled manifest exists. L39: const MANIFEST_URL = 'https://raw.githubusercontent.[redacted]-manifest.json' L40: const LEGACY_RUNTIME_RELEASE_REPOSITORY = 'trib-plugin/mixdog' ... L46: function platformKey() { L47: const os = process.platform === 'win32' ? 'win32' : process.platform
    High
    Sandbox Evasion Gated Capability

    Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

    src/runtime/memory/lib/runtime-fetcher.mjsView on unpkg · L1
    src/runtime/channels/lib/format.mjsView file
    129contains invisible/control Unicode U+200B (zero width space) return line.replace(/```/g, "`<U+200B>``");
    Critical
    Trojan Source Unicode

    Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

    src/runtime/channels/lib/format.mjsView on unpkg · L129
    scripts/build-runtime-linux.shView file
    path = scripts/build-runtime-linux.sh kind = build_helper sizeBytes = 14047 magicHex = [redacted]
    Medium
    Ships Build Helper

    Package ships non-JavaScript build or shell helper files.

    scripts/build-runtime-linux.shView on unpkg
    src/standalone/memory-runtime-proxy.mjsView file
    matchType = previous_version_dangerous_delta matchedPackage = mixdog@0.9.10 matchedIdentity = npm:bWl4ZG9n:0.9.10 similarity = 0.850 summary = stored previous version shares package body but lacks this dangerous source file
    High
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

    src/standalone/memory-runtime-proxy.mjsView on unpkg
    scripts/session-ingest-smoke.mjsView file
    59patternName = generic_password severity = medium line = 59 matchedText = const js... });
    Medium
    Secret Pattern

    Hardcoded password in scripts/session-ingest-smoke.mjs

    scripts/session-ingest-smoke.mjsView on unpkg · L59

    Findings

    1 Critical5 High8 Medium6 Low
    CriticalTrojan Source Unicodesrc/runtime/channels/lib/format.mjs
    HighChild Processscripts/smoke-loop.mjs
    HighShellscripts/bench-run.mjs
    HighSame File Env Network Executionsrc/runtime/channels/lib/whisper-server.mjs
    HighSandbox Evasion Gated Capabilitysrc/runtime/memory/lib/runtime-fetcher.mjs
    HighPrevious Version Dangerous Deltasrc/standalone/memory-runtime-proxy.mjs
    MediumSecret Patternscripts/compact-smoke.mjs
    MediumDynamic Requirescripts/ingest-pure-conversation-smoke.mjs
    MediumNetwork
    MediumEnvironment Vars
    MediumInstall Persistencesrc/runtime/agent/orchestrator/tools/shell-snapshot.mjs
    MediumShips Build Helperscripts/build-runtime-linux.sh
    MediumStructural Risk Force Deep Review
    MediumSecret Patternscripts/session-ingest-smoke.mjs
    LowScripts Present
    LowEval
    LowWeak Cryptosrc/standalone/plugin-admin.mjs
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings