registry  /  terminal-commander  /  0.1.76

terminal-commander@0.1.76

Terminal Commander: local MCP-operated terminal/file signal channel with native Linux, Windows, and macOS packages.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. The npm `postinstall` automatically detects and mutates installed Cursor, Codex CLI, and Claude MCP configuration. It also may install/start a local daemon autostart path on Linux/WSL. This is an unconsented install-time mutation of broad foreign AI-agent control surfaces.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
npm installation running the postinstall lifecycle hook outside CI with no opt-out environment variable
Impact
Causes third-party coding agents to launch the package MCP binary and may persist a local daemon without an explicit setup command.
Mechanism
automatic MCP registration and daemon-autostart bootstrap
Policy narrative
Installing the package runs `postinstall`, which calls the bootstrap orchestrator. In install mode it detects multiple unrelated coding-agent harnesses and writes Terminal Commander MCP launch configuration into their user-level config files. The same bootstrap can install or invoke daemon autostart on Linux/WSL. Although there are opt-out and CI guards and no confirmed exfiltration, the automatic lifecycle mutation of Codex, Cursor, and Claude control surfaces is concrete and unconsented.
Rationale
This package performs an npm postinstall-time mutation of broad, foreign AI-agent configuration files rather than requiring its documented explicit setup command. Per the install-control-surface policy, this warrants blocking despite the absence of confirmed network exfiltration or remote payload execution.
Evidence
package.jsonscripts/postinstall.jslib/bootstrap/orchestrator.jslib/harness/registry.jslib/harness/paths.jslib/harness/write_all.jslib/daemon/autostart.js~/.cursor/mcp.json~/.codex/config.toml~/.claude.json~/.config/Claude/claude_desktop_config.json~/.config/terminal-commander/autostart.sh~/.config/systemd/user/terminal-commanderd.service

Decision evidence

public snapshot
AI called this Malicious at 96.0% confidence as Malware with low false-positive risk.
Evidence for policy block
  • `package.json` runs `node scripts/postinstall.js` during installation.
  • `scripts/postinstall.js` invokes bootstrap automatically unless opt-out/CI guards apply.
  • `lib/bootstrap/orchestrator.js` enables auto-configuration in install mode.
  • `lib/harness/registry.js` targets Cursor, Codex CLI, Claude Code, and Claude Desktop.
  • `lib/harness/paths.js` resolves foreign agent config paths such as `~/.codex/config.toml` and `~/.claude.json`.
  • `lib/harness/write_all.js` writes MCP launch entries into detected agent configs.
Evidence against
  • No install-time network API use was found; npm registry HTTPS is limited to explicit `terminal-commander update`.
  • Child processes generally use `shell: false`; no dynamic eval or remote payload loading was found.
  • Agent configuration is limited to package-owned MCP server stanzas and includes opt-out variables.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 52 file(s), 297 KB of source, external domains: github.com, registry.npmjs.org

Source & flagged code

6 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/terminal-commanderd.jsView file
11// - On Linux + supported arch + platform package installed: L12: // `child_process.spawn` the Rust binary with `shell: false` and L13: // `stdio: 'inherit'`. Forwards `process.argv.slice(2)` verbatim
High
Child Process

Package source references child process execution.

bin/terminal-commanderd.jsView on unpkg · L11
lib/daemon/autostart.jsView file
11const os = require("node:os"); L12: const { spawnSync } = require("node:child_process"); L13: const { applyManagedBlock, hasManagedBlock } = require("./managed_block.js"); ... L34: function shouldInstallDaemonAutostart(env) { L35: const e = env || process.env; L36: if (e.TC_SKIP_DAEMON_AUTOSTART === "1") return false; ... L44: set -eu L45: TC_DATA="\${TC_DATA:-$HOME/.local/share/terminal-commanderd}" L46: SOCK="\$TC_DATA/terminal-commanderd.sock" ... L68: Description=Terminal Commander daemon (user) L69: Documentation=https://github.com/special-place-ai-heaven/terminal-commander L70: After=default.target
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

lib/daemon/autostart.jsView on unpkg · L11
lib/wsl/native-mcp.jsView file
37process.stderr.write( L38: "terminal-commander: Windows npm shim invoked inside WSL; install native runtime: npm install -g terminal-commander (inside the distro, not on Windows PATH)\n", L39: ); ... L41: } L42: const child = spawn(native, argv, { stdio: "inherit", shell: false }); L43: child.on("exit", (code, signal) => {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

lib/wsl/native-mcp.jsView on unpkg · L37
bin/terminal-commander.jsView file
matchType = previous_version_dangerous_delta matchedPackage = terminal-commander@0.1.74 matchedIdentity = npm:dGVybWluYWwtY29tbWFuZGVy:0.1.74 similarity = 0.939 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bin/terminal-commander.jsView on unpkg

Findings

1 Critical3 High5 Medium4 Low
CriticalPrevious Version Dangerous Deltabin/terminal-commander.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processbin/terminal-commanderd.js
HighRuntime Package Installlib/wsl/native-mcp.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencelib/daemon/autostart.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings