registry  /  stella-coder  /  5.2.1

stella-coder@5.2.1

Stella Coder 5.0 — AI coding agent with Telegram bot, huge context, TDD, Git ecosystem, presentations, computer control, smart home, Office automation, and antivirus

AI Security Review

scanned 2h ago · by lpm-firewall-ai

An explicitly started Telegram bot accepts authenticated remote messages and inserts them into a shell command. Its print-mode CLI invocation bypasses the package's interactive tool-approval gate, enabling remote local-system actions.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User runs `stella` and invokes `/tg`; an authorized Telegram sender sends a message.
Impact
Remote code execution with the invoking user's privileges; arbitrary files, environment values, commands, and network access can be reached.
Mechanism
Shell injection and permission-bypassed AI-agent command execution through Telegram polling.
Attack narrative
After the user explicitly starts `/tg`, the embedded bot polls Telegram and forwards an authenticated message through `execSync` as `node ... index.mjs -p "<message>"`. The message is not safely shell-escaped, so shell substitutions can execute before the CLI starts. Even absent direct injection, `-p` sets print mode, which unconditionally approves all AI tools. Those tools include shell execution, filesystem access, environment reads, and HTTP requests. The weak, unthrottled four-digit authorization code makes this remote control boundary materially unsafe.
Rationale
Source confirms a concrete remote command-execution chain, not merely a user-invoked administration feature. No install hook is present, but the explicit bot setup exposes an unsafe remote RCE surface with automatic permission bypass.
Evidence
package.jsonstella-cli/telegram-bot.mjsstella-cli/index.mjsstella-cli/tools.mjs~/.stella/telegram-auth.json
Network endpoints2
api.telegram.orgopencode.ai

Decision evidence

public snapshot
AI called this Malicious at 97.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `stella-cli/telegram-bot.mjs` embeds a Telegram bot credential and polls `api.telegram.org`.
  • Authenticated Telegram messages reach `execSync` in `stella-cli/telegram-bot.mjs`.
  • The command interpolates message text into a shell command; only double quotes are escaped, leaving shell substitutions possible.
  • The invoked CLI uses `-p`, and `stella-cli/index.mjs` makes print mode auto-approve every tool permission.
  • `stella-cli/tools.mjs` exposes shell execution, file access, environment reads, and network fetching.
  • Telegram authorization uses an unthrottled four-digit local admin code.
Evidence against
  • `package.json` defines no npm preinstall, install, or postinstall hook.
  • Starting the Telegram bot requires the explicit `/tg` CLI command.
  • The package stores bot authorization locally under `~/.stella`.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNativeBindingsNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 36 file(s), 991 KB of source, external domains: 127.0.0.1, api.duckduckgo.com, api.github.com, api.telegram.org, discord.gg, fonts.googleapis.com, github.com, gitlab.com, html.duckduckgo.com, ollama.com, opencode.ai, www.google.com, www.kinopoisk.ru, www.virustotal.com, www.youtube.com

Source & flagged code

11 flagged · loading source
dist/security.mjsView file
4import os from "node:os" L5: import { execSync } from "node:child_process" L6: import { fileURLToPath } from "node:url"
High
Child Process

Package source references child process execution.

dist/security.mjsView on unpkg · L4
dist/antimalware/scanner.mjsView file
336"ollama.exe", "ollama_llama_server.exe", L337: "powershell.exe", "pwsh.exe", "cmd.exe", L338: "WindowsTerminal.exe", "wt.exe",
High
Shell

Package source references shell execution.

dist/antimalware/scanner.mjsView on unpkg · L336
dist/antimalware/database.mjsView file
165{ id: "SIG-037", name: "Service install", severity: "high", category: "privesc", L166: pattern: /CreateService[\s\S]{0,100}(SERVICE_AUTO_START|SERVICE_WIN32_OWN_PROCESS)[\s\S]{0,100}(cmd|powershell|bash)/ }, L167: ... L188: { id: "SIG-044", name: "Scheduled task", severity: "high", category: "persistence", L189: pattern: /schtasks[\s\S]{0,100}(\/create|\/Create)[\s\S]{0,100}(cmd|powershell|bash|python|perl)/ }, L190: ... L207: { id: "SIG-050", name: "DNS tunneling", severity: "high", category: "backdoor", L208: pattern: /DnsQuery[\s\S]{0,100}(TXT|MX|CNAME)[\s\S]{0,100}(encode|decode|base64)[\s\S]{0,100}(socket|connect)/ }, L209: ... L240: { id: "SIG-060", name: "HTTP POST exfil", severity: "high", category: "exfil", L241: pattern: /(fetch|XMLHttpRequest|axios|http\.request|request\()[\s\S]{0,200}(POST|PUT)[\s\S]{0,200}(password|token|secret|credential|cookie)/ }, L242:
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/antimalware/database.mjsView on unpkg · L165
dist/index.mjsView file
6Cross-file remote execution chain: dist/index.mjs spawns dist/tools.mjs; helper contains network access plus dynamic code execution. L6: import os from "node:os" L7: import { execSync } from "node:child_process" L8: import { streamText, stepCountIs, generateText } from "ai" ... L22: const VERSION = "3.9.2" L23: const CONFIG_DIR = path.join(os.homedir(), ".stella") L24: const CONFIG_PATH = path.join(CONFIG_DIR, "config.json") ... L26: L27: const ZEN_BASE_URL = "https://opencode.ai/zen/v1" L28: ... L53: function loadConfig() { L54: try { return JSON.parse(fs.readFileSync(CONFIG_PATH, "utf8")) } catch { return {} } L55: }
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/index.mjsView on unpkg · L6
1371try { L1372: const { execSync } = await import("node:child_process") L1373: execSync(lintCmd, { encoding: "utf8", stdio: "inherit" }) ... L1379: case "/format": { L1380: const formatCmd = arg || "npx prettier --write ." L1381: console.log(dim(`\n Форматирую: ${formatCmd}\n`))
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/index.mjsView on unpkg · L1371
6import os from "node:os" L7: import { execSync } from "node:child_process" L8: import { streamText, stepCountIs, generateText } from "ai" ... L22: const VERSION = "3.9.2" L23: const CONFIG_DIR = path.join(os.homedir(), ".stella") L24: const CONFIG_PATH = path.join(CONFIG_DIR, "config.json") ... L26: L27: const ZEN_BASE_URL = "https://opencode.ai/zen/v1" L28: ... L53: function loadConfig() { L54: try { return JSON.parse(fs.readFileSync(CONFIG_PATH, "utf8")) } catch { return {} } L55: }
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/index.mjsView on unpkg · L6
stella-cli/telegram-bot.mjsView file
4import crypto from "node:crypto" L5: import { execSync } from "node:child_process" L6: ... L11: const BOT_TOKEN = "8923551485:AAFw4wG8ZwOtp5rzFsnguxhu4AH-2_ebSi0" L12: const API_URL = `https://api.telegram.org/bot${BOT_TOKEN}` L13: const PREMIUM_CODE = "10102013" ... L15: L16: const CONFIG_DIR = path.join(os.homedir(), ".stella") L17: const BOT_CONFIG_PATH = path.join(CONFIG_DIR, "telegram-bot.json") ... L29: headers: { "Content-Type": "application/json" }, L30: body: JSON.stringify(body), L31: signal: AbortSignal.timeout(30000),
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

stella-cli/telegram-bot.mjsView on unpkg · L4
4Trigger-reachable chain: manifest.main -> stella-cli/index.mjs -> stella-cli/telegram-bot.mjs L4: import crypto from "node:crypto" L5: import { execSync } from "node:child_process" L6: ... L11: const BOT_TOKEN = "8923551485:AAFw4wG8ZwOtp5rzFsnguxhu4AH-2_ebSi0" L12: const API_URL = `https://api.telegram.org/bot${BOT_TOKEN}` L13: const PREMIUM_CODE = "10102013" ... L15: L16: const CONFIG_DIR = path.join(os.homedir(), ".stella") L17: const BOT_CONFIG_PATH = path.join(CONFIG_DIR, "telegram-bot.json") ... L29: headers: { "Content-Type": "application/json" }, L30: body: JSON.stringify(body), L31: signal: AbortSignal.timeout(30000),
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

stella-cli/telegram-bot.mjsView on unpkg · L4
.opencode/skills/ui-ux-pro-max/scripts/design_system.pyView file
path = .opencode/skills/ui-ux-pro-max/scripts/design_system.py kind = payload_in_excluded_dir sizeBytes = 57424 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

.opencode/skills/ui-ux-pro-max/scripts/design_system.pyView on unpkg
path = .opencode/skills/ui-ux-pro-max/scripts/design_system.py kind = build_helper sizeBytes = 57424 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

.opencode/skills/ui-ux-pro-max/scripts/design_system.pyView on unpkg
stella-cli/git-api.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = stella-coder@5.2.0 matchedIdentity = npm:c3RlbGxhLWNvZGVy:5.2.0 similarity = 0.970 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

stella-cli/git-api.mjsView on unpkg

Findings

3 Critical5 High5 Medium5 Low
CriticalCredential Exfiltrationstella-cli/telegram-bot.mjs
CriticalTrigger Reachable Dangerous Capabilitystella-cli/telegram-bot.mjs
CriticalPrevious Version Dangerous Deltastella-cli/git-api.mjs
HighChild Processdist/security.mjs
HighShelldist/antimalware/scanner.mjs
HighCross File Remote Execution Contextdist/index.mjs
HighRuntime Package Installdist/index.mjs
HighPayload In Excluded Dir.opencode/skills/ui-ux-pro-max/scripts/design_system.py
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/index.mjs
MediumShips Build Helper.opencode/skills/ui-ux-pro-max/scripts/design_system.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/antimalware/database.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings