registry  /  octocode-ai  /  4.8.12

octocode-ai@4.8.12

OctoCode - AI-powered development tool by Farhan Dhrubo

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface in the reviewed wrapper package. Install-time behavior is limited to creating a package-local executable link/copy for the platform binary.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall; user invoking octo runs bin/octo
Impact
Package-local bin/.octocode may be replaced during install; runtime delegates to platform optional dependency or explicit OCTOCODE_BIN_PATH.
Mechanism
platform binary shim/link setup
Rationale
The lifecycle script is package-aligned native binary setup and does not perform network access, exfiltration, persistence, or agent control-surface mutation. Runtime child_process use is expected for a CLI shim and activated by user command or explicit environment override.
Evidence
package.jsonpostinstall.mjsbin/octoREADME.mdbin/.octocode

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json defines postinstall: bun/node ./postinstall.mjs
  • postinstall.mjs deletes/replaces bin/.octocode inside the package directory
  • bin/octo can execute OCTOCODE_BIN_PATH when explicitly set by environment
Evidence against
  • postinstall.mjs only resolves package-owned optional dependency octocode-ai-<platform>-<arch> and links/copies its binary
  • No fetch/http/curl/wget or other network code in package entrypoints
  • No credential/env harvesting; process.env use is limited to OCTOCODE_BIN_PATH override
  • bin/octo is a user-invoked CLI shim that locates installed platform binaries under node_modules
  • No AI-agent config writes or foreign control-surface mutation found
Behavioral surface
Source
Filesystem
Supply chainNo supply-chain packaging signals triggered.
Manifest
CopyleftLicense
scanned 1 file(s), 2.08 KB of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = bun ./postinstall.mjs || node ./postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = bun ./postinstall.mjs || node ./postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High1 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present
LowFilesystem
LowCopyleft License