registry  /  mocode-ai  /  0.2.2

mocode-ai@0.2.2

终端编码 agent:LLM + tool-call 循环 + 流式输出(含思考)+ 16 个工具,接任意 OpenAI 兼容后端。

AI Security Review

scanned 21h ago · by lpm-firewall-ai

No confirmed malicious install-time behavior or unconsented foreign agent control-surface mutation was found. The package is a coding-agent CLI with broad user/LLM-invoked file, shell, web, memory, and skill-loading capabilities plus runtime self-update.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Running the `mocode` CLI and allowing the agent or slash commands to invoke tools.
Impact
Can modify project files, run commands, access configured web/LLM endpoints, read local skill files, and globally update itself during runtime; no evidence of credential exfiltration or persistence beyond documented package-owned config/cache/memory files.
Mechanism
AI coding agent with shell/file/network tools and background self-update
Attack narrative
If a user runs `mocode`, the CLI starts an autonomous coding-agent loop. The model can call built-in tools to write files, edit files, run shell commands, fetch URLs, search the web, store memory, and load skills from ~/.claude, ~/.mocode, and project skill directories. Startup also performs a package-aligned update check and may run detached `npm install -g mocode-ai@latest` based on cached registry data. These are dangerous dual-use agent capabilities, but inspection did not find stealth install-time execution, credential harvesting, exfiltration, destructive persistence, or unconsented mutation of foreign AI-agent control surfaces.
Rationale
Source inspection supports a warn-level dangerous-capability verdict rather than malicious: the risky primitives are aligned with an explicitly invoked coding-agent CLI and documented updater, with no concrete attack payload or lifecycle control-surface hijack found. The self-update and broad agent tools justify firewall warning/downgrade instead of marking fully clean.
Evidence
package.jsonbin/mocode.jsdist/index.jsdist/updater/index.jsdist/pet/bridge.jsdist/tools/builtins/run-command.jsdist/tools/builtins/write-file.jsdist/tools/builtins/edit-file.jsdist/skills/discover.jsdist/tools/builtins/web-search.jsdist/tools/builtins/web-fetch.jsdist/config/file.js~/.mocode/config~/.mocode/update-check.json~/.mocode/memory.jsonl<cwd>/.mocode/memory.jsonl~/.claude/skills~/.mocode/skills<cwd>/.mocode/skills
Network endpoints8
registry.npmjs.org/api.anysearch.comws://127.0.0.1:47821open.bigmodel.cn/api/v3api.deepseek.comdashscope.aliyuncs.com/compatible-mode/v1localhost:11434/v1localhost:8000/v1

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/tools/builtins/run-command.js exposes user/LLM-invoked shell execution via bash/cmd with only best-effort denylist.
  • dist/tools/builtins/write-file.js and edit-file.js allow agent-driven file writes inside the configured sandbox root.
  • dist/updater/index.js checks npm registry and may spawn detached `npm install -g mocode-ai@latest` on CLI startup when cache says newer version exists.
  • dist/skills/discover.js reads ~/.claude/skills in addition to ~/.mocode and project skills, importing foreign agent skill text into this agent context.
  • dist/tools/builtins/web-search.js and web-fetch.js provide network access to AnySearch and arbitrary http/https URLs.
Evidence against
  • package.json lifecycle only has prepare -> npm run build; no install/postinstall hook or source evidence of install-time payload execution.
  • bin/mocode.js only imports dist/index.js; dangerous operations are runtime CLI/tool actions, not import-time side effects.
  • dist/pet/bridge.js connects only to ws://127.0.0.1 and spawns optional mocode-pet-app after explicit /pet path, not during install.
  • No code found writing CLAUDE.md, .mcp.json, Cursor/Codex settings, shell startup files, VCS hooks, or other foreign control surfaces.
  • Network endpoints are package-aligned: npm registry/latest, configured LLM/OpenAI-compatible baseURL, AnySearch, user-provided fetch URLs, and localhost pet websocket.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 82 file(s), 491 KB of source, external domains: api.anysearch.com, api.deepseek.com, dashscope.aliyuncs.com, open.bigmodel.cn, registry.npmjs.org

Source & flagged code

4 flagged · loading source
dist/ui/clipboard.jsView file
1import { stdout, platform } from 'node:process'; L2: import { spawn } from 'node:child_process'; L3: /**
High
Child Process

Package source references child process execution.

dist/ui/clipboard.jsView on unpkg · L1
13* 读取(readClipboard):OSC 52 是单向的(终端不会把剪贴板内容回传给应用,即便发 `\x1B]52;c;?\x07` L14: * 请求读取,多数终端出于安全考虑不响应),故读只能靠本地原生工具:win32=PowerShell Get-Clipboard、 L15: * darwin=pbpaste、linux=wl-paste / xclip -o / xsel -o。供鼠标点击输入框时"贴入"用。
High
Shell

Package source references shell execution.

dist/ui/clipboard.jsView on unpkg · L13
dist/pet/bridge.jsView file
matchType = previous_version_dangerous_delta matchedPackage = mocode-ai@0.2.0 matchedIdentity = npm:bW9jb2RlLWFp:0.2.0 similarity = 0.948 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/pet/bridge.jsView on unpkg
120catch (e) { L121: reject(new Error('mocode-pet-app 未安装,请运行 npm install mocode-pet-app')); L122: return; ... L124: try { L125: const child = spawn(process.execPath, [binPath], { L126: detached: true,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/pet/bridge.jsView on unpkg · L120

Findings

1 Critical3 High3 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/pet/bridge.js
HighChild Processdist/ui/clipboard.js
HighShelldist/ui/clipboard.js
HighRuntime Package Installdist/pet/bridge.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings