Findings
- Medium: The update flow downloads and executes a remote installer script without signature or checksum verification, so a compromised GitHub repo or MITM could execute arbitrary code during update.
mole:282mole:289mole:296mole:384install.sh:115install.sh:121install.sh:135 - Low: The interactive analyzer deletes user-selected paths via
os.RemoveAllwithout a denylist or path validation layer; a mistaken selection (or running as root) could remove critical data.cmd/analyze/delete.go:76cmd/analyze/delete.go:118 - Low: Auto-fix and Touch ID helpers modify security-sensitive system settings (firewall state, PAM config, Rosetta install) using
sudo. These are user-initiated but high-impact operations worth flagging.lib/manage/autofix.sh:132lib/manage/autofix.sh:149lib/manage/autofix.sh:162bin/touchid.sh:82bin/touchid.sh:111
Assessment (Maliciousness)
- I found no evidence of data exfiltration, telemetry, or C2 behavior; network access appears limited to GitHub version checks and installer fetches.
mole:41mole:58lib/check/all.sh:301install.sh:121 - Destructive operations are generally gated by explicit path validation and protected-path checks in the shell layer.
lib/core/file_ops.sh:32lib/core/file_ops.sh:75lib/core/app_protection.sh:503
Notes
- This is a static review of the source tree; I did not run dynamic analysis or execute the binaries.
If you want, I can help harden this further:
- Add checksum or signature verification for updates/installer downloads.
- Add an explicit denylist/path validation layer to the analyzer delete flow.
- Add a “require explicit typing” confirmation for destructive actions (e.g., deleting outside $HOME).