registry  /  mixdog  /  0.9.5

mixdog@0.9.5

Standalone mixdog coding-agent CLI/TUI workspace.

AI Security Review

scanned 4d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The risky primitives are expected for a user-invoked AI coding-agent CLI and are not triggered during npm install/import.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
user runs mixdog CLI or explicitly configures providers/plugins/MCP/channel features
Impact
No evidence of credential harvesting, persistence, destructive install behavior, or unconsented foreign AI-agent control-surface mutation.
Mechanism
package-aligned agent runtime with provider APIs, local tools, and verified runtime downloads
Rationale
Static inspection found a broad but package-aligned AI agent CLI with provider networking, local tools, MCP/plugin support, and verified native runtime downloads, all activated by user CLI/config actions rather than npm lifecycle hooks. No concrete exfiltration, persistence, destructive action, or unconsented mutation of foreign AI-agent control surfaces was found.
Evidence
package.jsonsrc/cli.mjssrc/app.mjssrc/standalone/channel-worker.mjssrc/runtime/memory/lib/runtime-fetcher.mjssrc/runtime/channels/lib/whisper-server.mjssrc/runtime/channels/lib/format.mjssrc/standalone/plugin-admin.mjssrc/session-runtime/mcp-glue.mjssrc/runtime/agent/orchestrator/providers/anthropic-oauth-credentials.mjssrc/runtime/agent/orchestrator/providers/openai-ws-pool.mjssrc/runtime/agent/orchestrator/providers/codex-client-meta.mjs
Network endpoints9
raw.githubusercontent.com/tribgames/mixdog/main/src/runtime/memory/data/runtime-manifest.jsongithub.com/tribgames/mixdog/releases/download/runtime-v0.4.0/huggingface.co/ggerganov/whisper.cpp/resolve/main/ggml-large-v3-turbo.binplatform.claude.com/v1/oauth/tokenclaude.com/cai/oauth/authorizewss://chatgpt.com/backend-api/codex/responseswss://api.openai.com/v1/responseswss://api.x.ai/v1/responsesregistry.npmjs.org/@openai/codex/latest

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for block
  • Agent CLI exposes user-invoked shell/MCP/plugin/network capabilities.
  • src/runtime/memory/lib/runtime-fetcher.mjs downloads native runtime assets from GitHub with sha256 verification.
  • src/runtime/channels/lib/whisper-server.mjs spawns a local whisper-server child and posts audio only to 127.0.0.1 fixed port.
Evidence against
  • package.json has no install/postinstall/prepare lifecycle hook; bin is user-invoked src/cli.mjs.
  • src/app.mjs only dispatches CLI/TUI/headless modes; no import-time payload or foreign agent config writes.
  • Plugin installs in mixdog-owned data/plugins paths and validates removal stays under registry root.
  • MCP config reads project .mcp.json and user mixdog config; no lifecycle creation of foreign .mcp.json/CLAUDE/Codex/Cursor surfaces found.
  • OAuth credential code stores/refreshes provider tokens in mixdog-owned credential files and scrubs token errors; no exfil endpoint found.
  • Trojan-source hint in src/runtime/channels/lib/format.mjs is caused by visible emoji/zero-width fence escaping in formatter logic, not hidden control-flow code.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 648 file(s), 7.85 MB of source, external domains: 127.0.0.1, aistudio.google.com, api.anthropic.com, api.deepseek.com, api.openai.com, api.telegram.org, api.x.ai, auth.openai.com, auth.x.ai, changed.example, chatgpt.com, claude.com, cli-chat-proxy.grok.com, console.anthropic.com, console.x.ai, example.com, generativelanguage.googleapis.com, github.com, management-api.x.ai, models.dev, opencode.ai, platform.claude.com, platform.deepseek.com, platform.openai.com, raw.githubusercontent.com, registry.npmjs.org

Source & flagged code

12 flagged · loading source
scripts/compact-smoke.mjsView file
388patternName = generic_password severity = medium line = 388 matchedText = { id: 'c...} },
Medium
Secret Pattern

Package contains a possible secret pattern.

scripts/compact-smoke.mjsView on unpkg · L388
scripts/smoke-loop.mjsView file
2import { appendFileSync, mkdirSync } from 'node:fs'; L3: import { spawnSync } from 'node:child_process'; L4: import { dirname, isAbsolute, resolve } from 'node:path';
High
Child Process

Package source references child process execution.

scripts/smoke-loop.mjsView on unpkg · L2
scripts/bench-run.mjsView file
208const { raw, ok } = await new Promise((resolveRun) => { L209: const child = spawn('codex', args, { shell: true, env: { ...process.env, ...(opts.env || {}) } }); L210: let out = '';
High
Shell

Package source references shell execution.

scripts/bench-run.mjsView on unpkg · L208
scripts/ingest-pure-conversation-smoke.mjsView file
12// require it directly to mirror the pipeline without booting the MCP server. L13: const require = createRequire(import.meta.url) L14: const { cleanMemoryText } = require('../src/lib/text-utils.cjs')
Medium
Dynamic Require

Package source references dynamic require/import behavior.

scripts/ingest-pure-conversation-smoke.mjsView on unpkg · L12
src/standalone/plugin-admin.mjsView file
1import { spawnSync } from 'node:child_process'; L2: import { ... L37: function readJsonSafe(path) { L38: try { return JSON.parse(readFileSync(path, 'utf8')); } catch { return null; } L39: } ... L93: type: 'git', L94: url: `https://github.com/${source}.git`, L95: displaySource: source, ... L104: } L105: const localPath = source.replace(/^~(?=$|[\\/])/, homedir()); L106: const resolved = resolve(localPath); ... L120: if (result.status !== 0) {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

src/standalone/plugin-admin.mjsView on unpkg · L1
src/runtime/agent/orchestrator/tools/shell-snapshot.mjsView file
13L14: import { spawn } from 'node:child_process'; L15: import { existsSync, mkdirSync, statSync, readFileSync, unlinkSync } from 'node:fs'; ... L86: const lower = shellPath.toLowerCase(); L87: if (lower.includes('zsh')) return join(homedir(), '.zshrc'); L88: if (lower.includes('bash')) return join(homedir(), '.bashrc'); ... L154: const script = getSnapshotScript(shellPath, snapshotPath, configFileExists); L155: let stderrBuf = ''; L156: // Mirror reference implementation (bash/ShellSnapshot.ts:458): ... L169: // even when the snapshot itself is fine). L170: // R11: scrub loader/execution vars from process.env before L171: // handing it to the snapshot shell. This site previously passed
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

src/runtime/agent/orchestrator/tools/shell-snapshot.mjsView on unpkg · L13
src/runtime/channels/lib/whisper-server.mjsView file
35L36: import net from 'node:net'; L37: import path from 'node:path'; L38: import fs from 'node:fs'; L39: import { spawn, spawnSync } from 'node:child_process'; L40: import { setTimeout as delay } from 'node:timers/promises'; ... L46: const FIXED_PORT = (() => { L47: const raw = process.env.MIXDOG_WHISPER_SERVER_PORT; L48: const n = raw ? Number.parseInt(raw, 10) : NaN;
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

src/runtime/channels/lib/whisper-server.mjsView on unpkg · L35
src/runtime/memory/lib/runtime-fetcher.mjsView file
1const __mixdogMemoryStderrWrite = process.stderr.write.bind(process.stderr); L2: function __mixdogMemoryLog(...args) { L3: if (process.env.MIXDOG_QUIET_MEMORY_LOG) return true; L4: return __mixdogMemoryStderrWrite(...args); ... L30: import { pipeline } from 'stream/promises' L31: import { spawnSync } from 'child_process' L32: import { renameWithRetrySync, writeFileAtomicSync, writeJsonAtomicSync } from '../../shared/atomic-file.mjs' ... L38: // GitHub raw URL fallback — used only when no cached or bundled manifest exists. L39: const MANIFEST_URL = 'https://raw.githubusercontent.[redacted]-manifest.json' L40: const LEGACY_RUNTIME_RELEASE_REPOSITORY = 'trib-plugin/mixdog' ... L46: function platformKey() { L47: const os = process.platform === 'win32' ? 'win32' : process.platform
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

src/runtime/memory/lib/runtime-fetcher.mjsView on unpkg · L1
src/runtime/channels/lib/format.mjsView file
129contains invisible/control Unicode U+200B (zero width space) return line.replace(/```/g, "`<U+200B>``");
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

src/runtime/channels/lib/format.mjsView on unpkg · L129
scripts/build-runtime-linux.shView file
path = scripts/build-runtime-linux.sh kind = build_helper sizeBytes = 14047 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/build-runtime-linux.shView on unpkg
src/standalone/channel-worker.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = mixdog@0.9.3 matchedIdentity = npm:bWl4ZG9n:0.9.3 similarity = 0.483 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/standalone/channel-worker.mjsView on unpkg
scripts/session-ingest-smoke.mjsView file
59patternName = generic_password severity = medium line = 59 matchedText = const js... });
Medium
Secret Pattern

Hardcoded password in scripts/session-ingest-smoke.mjs

scripts/session-ingest-smoke.mjsView on unpkg · L59

Findings

1 Critical5 High8 Medium6 Low
CriticalTrojan Source Unicodesrc/runtime/channels/lib/format.mjs
HighChild Processscripts/smoke-loop.mjs
HighShellscripts/bench-run.mjs
HighSame File Env Network Executionsrc/runtime/channels/lib/whisper-server.mjs
HighSandbox Evasion Gated Capabilitysrc/runtime/memory/lib/runtime-fetcher.mjs
HighPrevious Version Dangerous Deltasrc/standalone/channel-worker.mjs
MediumSecret Patternscripts/compact-smoke.mjs
MediumDynamic Requirescripts/ingest-pure-conversation-smoke.mjs
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencesrc/runtime/agent/orchestrator/tools/shell-snapshot.mjs
MediumShips Build Helperscripts/build-runtime-linux.sh
MediumStructural Risk Force Deep Review
MediumSecret Patternscripts/session-ingest-smoke.mjs
LowScripts Present
LowEval
LowWeak Cryptosrc/standalone/plugin-admin.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings