AI Security Review
scanned 1h ago · by lpm-firewall-aiNo confirmed malicious install-time or import-time behavior. The package is an explicit CLI/project generator; its generated local dashboard can write project files and install dependencies only after user commands or authenticated local dashboard actions.
Decision evidence
public snapshot- `scripts/reveal-passkey.mjs` brute-forces legacy numeric SHA-256 passkeys when explicitly run against a supplied app path.
- `skeleton/.4bnode/dev-api.js` reports host, OS-user, app name, and sender address only after an authorized `4brains.in` mail setup.
- `skeleton/.4bnode/ui.html` loads dashboard libraries from `esm.sh` at dashboard runtime.
- `package.json` has only `prepublishOnly`; no preinstall/install/postinstall hook is present.
- `index.js` runs copying and `npm install` only for the explicit `4bnode init` command.
- `skeleton/.4bnode/dev-api.js` disables the dashboard in production by default and restricts it to loopback unless explicitly enabled remotely.
- AI requests target documented provider APIs and use project-configured keys only after dashboard use.
- No AI-agent control-surface paths or unrelated credential/file harvesting were found.
Source & flagged code
8 flagged · loading sourceThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
index.jsView on unpkgPackage source invokes a package manager install command at runtime.
index.jsView on unpkg · L57Package source references a known benign dynamic code generation pattern.
scripts/audit-dev-surface.mjsView on unpkg · L36Package source references dynamic require/import behavior.
add-email.jsView on unpkg · L34Package ships high-entropy non-source blobs.
skeleton/.4bnode/assets/fonts/NotoSans-SemiBold.woff2View on unpkg