AI Security Review
scanned 2d ago · by lpm-firewall-aiNo confirmed malicious install-time payload or credential exfiltration was found. The main unresolved risk is runtime self-update plus agent-exposed command/file tools, activated only by using the CLI.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `mocode` CLI after install
Impact
Potential unprompted package self-mutation to latest version; command/file operations are user-session agent capabilities rather than hidden payloads.
Mechanism
agent runtime tools and background global npm self-update
Attack narrative
On startup, the CLI reads a cache and may silently spawn `npm install -g mocode-ai@latest` after checking the npm registry. The package also gives the LLM agent command execution and file write/edit tools, but these are exposed as the product's intended coding-agent functionality with sandboxing and env filtering, not hidden install-time behavior.
Rationale
Static inspection did not show credential harvesting, hidden exfiltration, destructive persistence, or lifecycle payload execution. The unprompted runtime self-update is a real supply-chain risk that warrants warning, but the observed behavior is not enough to classify this version as malicious.
Evidence
package.jsonbin/mocode.jsdist/index.jsdist/updater/index.jsdist/tools/builtins/run-command.jsdist/tools/registry.jsdist/sandbox/policy.jsdist/tools/builtins/web-search.jsdist/tools/builtins/web-fetch.js~/.mocode/update-check.json~/.mocode/config<cwd>/.mocode/*
Network endpoints2
registry.npmjs.org/api.anysearch.com
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- dist/updater/index.js checks npm registry and may spawn `npm install -g mocode-ai@latest` on CLI startup based on cached latest version.
- dist/tools/builtins/run-command.js exposes shell execution to the LLM agent at runtime.
- dist/tools/builtins/write-file.js and edit-file.js allow project file mutation through agent tools.
Evidence against
- package.json prepare only runs local TypeScript build; no install/postinstall hook executes payload code from the published dist.
- bin/mocode.js only imports dist/index.js; agent behavior starts on explicit `mocode` CLI use.
- run_command is user/LLM-invoked, applies sandbox cwd, command denylist, timeout, and filters KEY/TOKEN/SECRET/PASSWORD/LLM env vars.
- Network use is package-aligned: configured OpenAI-compatible LLM, AnySearch/web_fetch tools, and npm registry update check.
- Path tools are wrapped by dist/tools/registry.js and dist/sandbox/policy.js to jail read/write/edit under sandbox root.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcedist/tools/builtins/run-command.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = mocode-ai@0.1.5
matchedIdentity = npm:bW9jb2RlLWFp:0.1.5
similarity = 0.830
summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version.
dist/tools/builtins/run-command.jsView on unpkgFindings
1 Critical2 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/tools/builtins/run-command.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings