registry  /  mocode-ai  /  0.6.6

mocode-ai@0.6.6

终端编码 agent:LLM + tool-call 循环 + 流式输出(含思考)+ 16 个工具,接任意 OpenAI 兼容后端。

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Running the `mocode` CLI enables an LLM-driven coding agent with shell, filesystem, and network capabilities. On startup, its self-updater may asynchronously install a newer global version of the same package.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs the `mocode` binary; a cached newer version enables the update spawn.
Impact
The agent can act on the active project, and startup can replace the global package with a registry-provided newer release.
Mechanism
LLM tool execution plus detached package-owned global self-update.
Rationale
No concrete malicious chain was found, but the exposed agent powers and silent global self-update create a real dangerous-capability and supply-chain risk. Warn rather than block.
Evidence
package.jsonbin/mocode.jsdist/index.jsdist/updater/index.jsdist/tools/builtins/run-command.jsdist/tools/builtins/index.jsdist/pet/bridge.jsdist/config/file.js
Network endpoints3
registry.npmjs.org/api.anysearch.comws://127.0.0.1:<MOCODE_PET_PORT>

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `dist/updater/index.js` auto-checks on CLI startup and can detach `npm install -g mocode-ai@latest`.
  • `dist/tools/builtins/run-command.js` exposes arbitrary shell execution to the coding agent.
  • `dist/tools/builtins/index.js` registers file-write, web, and command tools.
Evidence against
  • `package.json` has only a `prepare` build hook; no preinstall/install/postinstall hook.
  • The updater targets the package's own name and npm registry, not unrelated software or agent configuration.
  • No inspected source showed credential harvesting, hidden exfiltration, remote payload execution, or destructive install-time behavior.
  • `dist/pet/bridge.js` connects only to a loopback WebSocket and its optional pet process is user-invoked.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 108 file(s), 859 KB of source, external domains: api.anysearch.com, api.deepseek.com, api.minimax.io, dashscope.aliyuncs.com, open.bigmodel.cn, registry.npmjs.org

Source & flagged code

5 flagged · loading source
dist/ui/clipboard.jsView file
1import { stdout, platform } from 'node:process'; L2: import { spawn } from 'node:child_process'; L3: /**
High
Child Process

Package source references child process execution.

dist/ui/clipboard.jsView on unpkg · L1
13* 读取(readClipboard):OSC 52 是单向的(终端不会把剪贴板内容回传给应用,即便发 `\x1B]52;c;?\x07` L14: * 请求读取,多数终端出于安全考虑不响应),故读只能靠本地原生工具:win32=PowerShell Get-Clipboard、 L15: * darwin=pbpaste、linux=wl-paste / xclip -o / xsel -o。供鼠标点击输入框时"贴入"用。
High
Shell

Package source references shell execution.

dist/ui/clipboard.jsView on unpkg · L13
dist/attachments/image.jsView file
58const buf = await readFile(abs); L59: const dataUrl = `data:${mime};base64,${buf.toString('base64')}`; L60: const id = createHash('sha1')
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/attachments/image.jsView on unpkg · L58
dist/pet/bridge.jsView file
120catch (e) { L121: reject(new Error('mocode-pet-app 未安装,请运行 npm install mocode-pet-app')); L122: return; ... L124: try { L125: const child = spawn(process.execPath, [binPath], { L126: detached: true,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/pet/bridge.jsView on unpkg · L120
dist/tools/builtins/run-command.jsView file
matchType = previous_version_dangerous_delta matchedPackage = mocode-ai@0.6.4 matchedIdentity = npm:bW9jb2RlLWFp:0.6.4 similarity = 0.932 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/tools/builtins/run-command.jsView on unpkg

Findings

1 Critical3 High3 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/tools/builtins/run-command.js
HighChild Processdist/ui/clipboard.js
HighShelldist/ui/clipboard.js
HighRuntime Package Installdist/pet/bridge.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/attachments/image.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings