registry  /  mocode-ai  /  0.1.7

mocode-ai@0.1.7

终端编码 agent:LLM + tool-call 循环 + 流式输出(含思考)+ 16 个工具,接任意 OpenAI 兼容后端。

AI Security Review

scanned 2d ago · by lpm-firewall-ai

No confirmed malicious install-time payload or credential exfiltration was found. The main unresolved risk is runtime self-update plus agent-exposed command/file tools, activated only by using the CLI.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `mocode` CLI after install
Impact
Potential unprompted package self-mutation to latest version; command/file operations are user-session agent capabilities rather than hidden payloads.
Mechanism
agent runtime tools and background global npm self-update
Attack narrative
On startup, the CLI reads a cache and may silently spawn `npm install -g mocode-ai@latest` after checking the npm registry. The package also gives the LLM agent command execution and file write/edit tools, but these are exposed as the product's intended coding-agent functionality with sandboxing and env filtering, not hidden install-time behavior.
Rationale
Static inspection did not show credential harvesting, hidden exfiltration, destructive persistence, or lifecycle payload execution. The unprompted runtime self-update is a real supply-chain risk that warrants warning, but the observed behavior is not enough to classify this version as malicious.
Evidence
package.jsonbin/mocode.jsdist/index.jsdist/updater/index.jsdist/tools/builtins/run-command.jsdist/tools/registry.jsdist/sandbox/policy.jsdist/tools/builtins/web-search.jsdist/tools/builtins/web-fetch.js~/.mocode/update-check.json~/.mocode/config<cwd>/.mocode/*
Network endpoints2
registry.npmjs.org/api.anysearch.com

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/updater/index.js checks npm registry and may spawn `npm install -g mocode-ai@latest` on CLI startup based on cached latest version.
  • dist/tools/builtins/run-command.js exposes shell execution to the LLM agent at runtime.
  • dist/tools/builtins/write-file.js and edit-file.js allow project file mutation through agent tools.
Evidence against
  • package.json prepare only runs local TypeScript build; no install/postinstall hook executes payload code from the published dist.
  • bin/mocode.js only imports dist/index.js; agent behavior starts on explicit `mocode` CLI use.
  • run_command is user/LLM-invoked, applies sandbox cwd, command denylist, timeout, and filters KEY/TOKEN/SECRET/PASSWORD/LLM env vars.
  • Network use is package-aligned: configured OpenAI-compatible LLM, AnySearch/web_fetch tools, and npm registry update check.
  • Path tools are wrapped by dist/tools/registry.js and dist/sandbox/policy.js to jail read/write/edit under sandbox root.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 66 file(s), 389 KB of source, external domains: api.anysearch.com, open.bigmodel.cn, registry.npmjs.org

Source & flagged code

1 flagged · loading source
dist/tools/builtins/run-command.jsView file
matchType = previous_version_dangerous_delta matchedPackage = mocode-ai@0.1.5 matchedIdentity = npm:bW9jb2RlLWFp:0.1.5 similarity = 0.830 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/tools/builtins/run-command.jsView on unpkg

Findings

1 Critical2 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/tools/builtins/run-command.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings