registry  /  publishport-opencli  /  1.8.5-pp.21

publishport-opencli@1.8.5-pp.21

Make any website or Electron App your CLI. AI-powered.

AI Security Review

scanned 23h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package is an OpenCLI browser/site automation platform with lifecycle setup in shell completion and ~/.opencli namespaces. This creates platform extension lifecycle risk, but source inspection did not show unconsented foreign AI-agent hijack or malware behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
global npm install, first opencli runtime, or explicit plugin/adapter commands
Impact
Can mutate ~/.opencli state and run user-installed plugins/adapters; no confirmed malicious exfiltration or persistence outside package contract.
Mechanism
package-owned OpenCLI lifecycle setup and user-invoked plugin/adapter execution
Policy narrative
On global install the package performs best-effort setup for completions and OpenCLI-owned state under ~/.opencli. At runtime it creates compatibility shims, discovers adapters/plugins, and supports explicit plugin installation from git/local sources. These are dangerous platform capabilities, but inspection did not find lifecycle delivery into foreign agent control surfaces, credential theft, or unconsented remote payload execution.
Rationale
Source inspection supports a warn-level platform extension lifecycle risk rather than publish-block malware: install-time writes are guarded and package-owned, and network/child-process behavior aligns with documented CLI/plugin/browser automation. No concrete malicious attack surface remains after reviewing lifecycle, discovery, plugin, update, and hinted adapter files.
Evidence
package.jsonscripts/postinstall.jsscripts/fetch-adapters.jsdist/src/discovery.jsdist/src/plugin.jsdist/src/update-check.js~/.zsh/completions/_opencli~/.bash_completion.d/opencli~/.config/fish/completions/opencli.fish~/.opencli/spotify.env~/.opencli/clis~/.opencli/adapter-manifest.json~/.opencli/plugins~/.opencli/plugins.lock.json
Network endpoints3
127.0.0.1:19825/shutdownregistry.npmjs.org/@jackwener/opencli/latestapi.github.com/repos/jackwener/OpenCLI/releases?per_page=20

Decision evidence

public snapshot
AI called this Suspicious at 78.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json postinstall runs scripts/postinstall.js and scripts/fetch-adapters.js.
  • scripts/postinstall.js writes shell completions and ~/.opencli/spotify.env on global install.
  • scripts/fetch-adapters.js can remove stale overrides and write ~/.opencli/adapter-manifest.json on global/explicit first-run paths.
  • dist/src/discovery.js creates ~/.opencli runtime/package symlink and loads user adapters/plugins from ~/.opencli.
  • dist/src/plugin.js supports user-invoked git/local plugin install with npm install and transpilation.
Evidence against
  • Lifecycle writes are guarded by global install/OPENCLI_FETCH/_OPENCLI_FIRST_RUN and target OpenCLI-owned paths, not foreign AI-agent surfaces.
  • No install-time credential harvesting or outbound exfiltration found; adapter network calls are user-invoked site commands.
  • preuninstall only POSTs localhost shutdown to 127.0.0.1:19825.
  • No evidence of CLAUDE/Codex/Cursor/MCP config planting or permission bypass in lifecycle scripts.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
Manifest
NoLicense
scanned 1,556 file(s), 4.79 MB of source, external domains: 127.0.0.1, 36kr.com, a.example, account.dianping.com, accounts.douban.com, accounts.google.com, accounts.pixiv.net, accounts.spotify.com, admin.xiaoe-tech.com, api.bilibili.com, api.chess.com, api.coingecko.com, api.dictionaryapi.dev, api.fda.gov, api.github.com, api.juejin.cn, api.llama.fi, api.m.jd.com, api.manus.im, api.npmjs.org, api.nuget.org, api.openalex.org, api.osv.dev, api.ruguoapp.com, api.semanticscholar.org, api.slock.ai, api.spotify.com, api.stackexchange.com, api.tvmaze.com, api.xiaoyuzhoufm.com, api.zhihu.com, api.zsxq.com, api2.mubu.com, api2.openreview.net, apiv1.oschina.net, app.cj.sina.com.cn, app.slock.ai, appxxxx.h5.xet.citv.cn, archive.org, arxiv.org, assets.grok.com, auth.1point3acres.com, auth.band.us, auth.openai.com, azuresearch-usnc.nuget.org, baijiahao.baidu.com, bbs.hupu.com, bid.powerchina.cn, bizapi.csdn.net, blog.51cto.com

Source & flagged code

11 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js || true; node scripts/fetch-adapters.js || true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js || true; node scripts/fetch-adapters.js || true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/src/external.jsView file
1import*as Q from"node:fs";import*as Y from"node:path";import*as V from"node:os";import{fileURLToPath as M}from"node:url";import{spawnSync as U,execFileSync as L}from"node:child_pro...
High
Child Process

Package source references child process execution.

dist/src/external.jsView on unpkg · L1
dist/src/browser/article-extract.jsView file
1import*as j from"node:fs";import{createRequire as O}from"node:module";const v=O(import.meta.url);let Y=null;function U(){if(Y)return Y;const Q=v.resolve("@mozilla/readability/Reada... L2: `)}export async function extractArticle(Q,V={}){const Z=buildExtractArticleJs(V),W=await Q.evaluate(Z);if(W==null||typeof W!=="object")return null;const z=W;if(typeof z.html!=="str...
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/src/browser/article-extract.jsView on unpkg · L1
dist/src/discovery.jsView file
1import*as H from"node:fs";import*as G from"node:os";import*as Y from"node:path";import{fileURLToPath as F,pathToFileURL as v}from"node:url";import{Strategy as A,registerCommand as ... L2: `;try{if(await H.promises.readFile(x,"utf-8")!==B)await H.promises.writeFile(x,B,"utf-8")}catch{await H.promises.writeFile(x,B,"utf-8")}const V=L,q=Y.join(z,"node_modules","@jackwe...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/src/discovery.jsView on unpkg · L1
clis/flomo/memos.jsView file
1import{cli as y,Strategy as A}from"@jackwener/opencli/registry";import{ArgumentError as m,AuthRequiredError as l,CommandExecutionError as s,EmptyResultError as b}from"@jackwener/op... L2: (() => { ... L5: if (!raw) return null; L6: const me = JSON.parse(raw); L7: const token = me?.access_token || me?.data?.access_token || ''; ... L12: })() L13: `}function P(t){return/auth|unauth|login|token|permission|forbidden|unauthorized|登录|登陆|鉴权|权限/i.test(String(t||""))}function $(t){if(!Array.isArray(t))return"";return t.map((e)=>{if...
Low
Weak Crypto

Package source references weak cryptographic algorithms.

clis/flomo/memos.jsView on unpkg · L1
scripts/postinstall.jsView file
7* standard completion directory. For zsh and bash, the script prints manual L8: * instructions instead of modifying rc files (~/.zshrc, ~/.bashrc) — this L9: * avoids breaking multi-line shell commands and other fragile rc structures. ... L60: function detectShell() { L61: const shell = process.env.SHELL || ''; L62: if (shell.includes('zsh')) return 'zsh'; ... L77: // Skip in CI environments L78: if (process.env.CI || process.env.CONTINUOUS_INTEGRATION) { L79: return; ... L93: L94: const home = homedir(); L95:
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

scripts/postinstall.jsView on unpkg · L7
dist/src/browser/managed-chrome.jsView file
1import{execFileSync as R}from"node:child_process";import*as B from"node:fs";import*as W from"node:path";import{request as x}from"node:http";import{WebSocket as T}from"ws";import{pr...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/src/browser/managed-chrome.jsView on unpkg · L1
dist/src/launcher.jsView file
1import{execFileSync as G,spawn as w}from"node:child_process";import{request as D}from"node:http";import*as K from"node:path";import{getElectronApp as U}from"./electron-apps.js";imp... L2: ${j(X,J)} L3: `+` • Set OPENCLI_CDP_ENDPOINT=http://127.0.0.1:${J} L4: `+` • Or just re-run the command once ${X} is listening on port ${J}.`);if(detectProcess(W)){H.debug(`[launcher] ${X} is running but CDP not available`);if(!await q(`${X} is runni... L5: `);await killProcess(W)}const B=discoverAppPath(X);if(!B)throw new $(`Could not find ${X} on this machine.`,`Install ${X} or register a custom path in ~/.opencli/apps.yaml`);const ...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/src/launcher.jsView on unpkg · L1
clis/segmentfault/article.jsView file
1import{CliError as O,CommandExecutionError as v}from"@jackwener/opencli/errors";import{cli as y,Strategy as C}from"@jackwener/opencli/registry";import{publishArticle as p}from"../_... L2: </script>`,U);if(T!==-1)try{const V=JSON.parse(G.substring(U+_.length,T));Z=V&&V.global&&V.global.sessionInfo&&V.global.sessionInfo.key}catch(V){}}}if(!Z)throw Error("获取思否 session ... L3: </script>`,z);if(J!==-1)try{const K=JSON.parse(Z.substring(z+Q.length,J));M=K&&K.global&&K.global.sessionInfo&&K.global.sessionInfo.key}catch(K){}}}if(!M)return{ok:!1,stage:"token"...
Critical
Builtin Api Tampering Exfiltration

Source mutates builtin networking, serialization, module-loading, or filesystem APIs while forwarding data to an external endpoint.

clis/segmentfault/article.jsView on unpkg · L1
scripts/check-doc-coverage.shView file
path = scripts/check-doc-coverage.sh kind = build_helper sizeBytes = 2256 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/check-doc-coverage.shView on unpkg

Findings

1 Critical4 High7 Medium10 Low
CriticalBuiltin Api Tampering Exfiltrationclis/segmentfault/article.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/src/external.js
HighSame File Env Network Executiondist/src/browser/managed-chrome.js
HighCommand Output Exfiltrationdist/src/launcher.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/src/discovery.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencescripts/postinstall.js
MediumShips Build Helperscripts/check-doc-coverage.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/src/browser/article-extract.js
LowWeak Cryptoclis/flomo/memos.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowNo License