Safe, reproducible demo of VS Code folder-open tasks, npm lifecycle scripts, and localhost-only environment variable collection.
This repository demonstrates two developer-targeted execution paths:
- VS Code and Cursor folder-open task execution through
.vscode/tasks.jsonandrunOptions.runOn: "folderOpen". - npm lifecycle execution through
package.jsonscripts such asprepare.
It also demonstrates an environment-variable collection pattern safely. The runnable demo sends only variables whose names start with CODENOTE_DEMO_ to a collector bound to 127.0.0.1:47391.
This repository intentionally contains controlled examples of local execution triggers. Review it before opening fixture folders in an editor or running package-manager commands.
Safety boundaries:
- No root-level
.vscode/tasks.jsonis included. - Runnable code never sends full
process.env. - Runnable code sends only
CODENOTE_DEMO_variables. - The collector listens on
127.0.0.1:47391by default. - Sensitive-looking demo variable names are masked in collector logs.
- Dangerous examples are inert
.sample.jsonfiles undersamples/. - There are no runnable
curl | bash,wget | sh, PowerShell download-execute, or remote-code-execution payloads.
The target runtime is Node.js 26.2.0.
Install it with mise:
mise install
node -v
npm -vThe runtime pin is stored in .mise.toml.
VS Code tasks can request folder-open execution with:
{
"runOptions": {
"runOn": "folderOpen"
}
}The safe fixture is here:
fixtures/vscode-folderopen-env-demo/.vscode/tasks.json
It runs the local safe env client and uses presentation.reveal: "always" so the behavior is visible.
npm can execute lifecycle scripts during install operations. The fixture uses a prepare script:
fixtures/npm-prepare-env-demo/package.json
Run it only with demo-scoped variables:
CODENOTE_DEMO_REGION=ap-northeast-1 \
CODENOTE_DEMO_GITHUB_TOKEN=fake-gh-token \
npm install --package-lock=false --prefix fixtures/npm-prepare-env-demoThe safe client reads process.env, filters to CODENOTE_DEMO_, and sends only those variables to the local collector.
The collector masks names containing:
SECRETTOKENKEYPASSWORDCREDENTIAL
Example collector output:
[collector] received /collect from npm-prepare-env-demo
[collector] variableCount=2
CODENOTE_DEMO_GITHUB_TOKEN=***masked***
CODENOTE_DEMO_REGION=ap-northeast-1
apps/collector/server.js
packages/safe-env-client/send-demo-env.js
fixtures/npm-prepare-env-demo/package.json
fixtures/vscode-folderopen-env-demo/.vscode/tasks.json
samples/dangerous-package.sample.json
samples/dangerous-tasks.sample.json
scripts/scan.js
scripts/walkthrough.js
Install dependencies:
npm ciThe npm lifecycle fixtures are intentionally not part of the root npm workspaces. A root npm ci must not trigger the demo prepare script. Run the fixture only with the scoped command shown below.
Start the collector:
npm run collectorIn another terminal, run the safe npm lifecycle demo:
CODENOTE_DEMO_REGION=ap-northeast-1 \
CODENOTE_DEMO_GITHUB_TOKEN=fake-gh-token \
npm install --package-lock=false --prefix fixtures/npm-prepare-env-demoTo demonstrate VS Code behavior, inspect the fixture first, then open only the fixture folder:
code fixtures/vscode-folderopen-env-demoRun the scanner:
npm run scanThe scanner reports intentionally suspicious patterns but exits 0 by default so CI can show findings without blocking.
Fail on high-severity findings:
npm run scan -- --fail-on-highThe scanner detects:
runOptions.runOn: "folderOpen"presentation.reveal: "never"- suspicious shell terms such as
curl,wget,bash,sh,powershell,Invoke-WebRequest,iwr, andiex - npm lifecycle scripts
- JavaScript primitives such as
process.env,new Function,eval(,child_process,axios.post, andfetch(
Print the deterministic walkthrough:
npm run walkthroughRun only the safe npm fixture from the walkthrough script after starting the collector:
npm run walkthrough -- --run-safe-npm-demoThe walkthrough script does not open VS Code automatically.
Claude Code walkthrough skill:
.claude/skills/vscode-folderopen-malware-demo-walkthrough/SKILL.md
Codex walkthrough skill source:
agent-skills/codex/vscode-folderopen-malware-demo-walkthrough/SKILL.md
Install the Codex skill:
mkdir -p "$CODEX_HOME/skills"
cp -R agent-skills/codex/vscode-folderopen-malware-demo-walkthrough "$CODEX_HOME/skills/"If CODEX_HOME is not set:
mkdir -p "$HOME/.codex/skills"
cp -R agent-skills/codex/vscode-folderopen-malware-demo-walkthrough "$HOME/.codex/skills/"The skills reference the repository scripts instead of hiding executable behavior inside agent-specific instructions.
This repository uses:
- Biome for formatting and linting.
- gitleaks for secret scanning.
Run checks:
npm run check
npm run scan
npm run gitleaksReproducibility rules:
- npm only.
package-lock.jsonis committed..npmrcsetssave-exact=true.- npm dependency versions are exact.
- GitHub Actions are pinned by full commit SHA.
- The workflow comments include the human-readable action versions.
- CI installs gitleaks
v8.30.1from a pinned release asset and verifies the SHA-256 checksum.
Before opening a technical-test, recruiter, or unfamiliar repository in an editor:
- Inspect
.vscode/tasks.json. - Inspect
package.jsonlifecycle scripts. - Inspect shell scripts and installer scripts.
- Look for download-execute patterns.
- Look for code that reads
process.envand performs network calls. - Prefer browser inspection or static tooling before opening the folder in an editor.
git clone mainly writes files. Opening a folder in an editor and running package-manager commands can execute code.
If a suspicious repository was already opened or installed:
- Assume exposed local credentials may be compromised.
- Stop running processes from that repository.
- Disconnect network access if active exfiltration is suspected.
- Rotate tokens, API keys, SSH keys, and cloud credentials.
- Review shell history, editor tasks, package-manager logs, and process history.
- Rebuild affected development environments when trust is unclear.