AI Security Review
scanned 3h ago · by lpm-firewall-aiNo confirmed malicious attack surface. Network, process, file, and environment operations implement the framework's explicit CLI, server, bundle, and RPC features rather than install-time execution or covert collection.
Static reason
No blocking static signals were detected.
Trigger
User invokes documented CLI/bundle/server features or an application exposes its own framework routes.
Impact
No package-initiated credential harvesting, external exfiltration, stealth persistence, destructive action, or unconsented AI-agent control-surface mutation found.
Mechanism
User-configured framework runtime, local tooling, and optional application CLI distribution.
Rationale
Direct source inspection found no lifecycle-triggered execution or concrete malicious chain. Flagged primitives are aligned with the documented Bun framework and are either user-invoked, application-configured, or loopback-scoped.
Evidence
package.jsonbin/abide.tssrc/initAgent.tssrc/scaffold.tssrc/lib/ui/compile/parseTemplate.tssrc/controlServerWorker.tssrc/lib/bundle/listenLocalControlServer.tssrc/lib/server/cli/handleCliInstall.tssrc/lib/server/cli/handleCliDownload.tssrc/lib/server/reachable.ts
Decision evidence
public snapshotAI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json: only a test script; no preinstall/install/postinstall hooks.
- bin/abide.ts: child processes run only for explicit CLI commands.
- src/lib/ui/compile/parseTemplate.ts: scanner's dynamic-import hit is parser validation text, not runtime payload loading.
- src/initAgent.ts: writes a fenced pointer only when user runs `abide init-agent`.
- src/controlServerWorker.ts: optional Claude bridge requires bundled dependency, `claude` on PATH, random token, and loopback-only control server.
- src/lib/server/cli/handleCliInstall.ts: shell installer is an app-server endpoint invoked by a user and validates reflected host input.
Behavioral surface
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkWebSocket
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcesrc/lib/ui/compile/parseTemplate.tsView file
35/* A line-leading static `import` in a nested script body. The `(?=\s)` requires
L36: whitespace after the keyword (sparing `import.meta` and no-space `import(...)`),
L37: and `(?!\s*\()` spares a dynamic `import (...)` written with whitespace before the
Medium
Dynamic Require
Package source references dynamic require/import behavior.
src/lib/ui/compile/parseTemplate.tsView on unpkg · L35Findings
3 Medium4 Low
MediumDynamic Requiresrc/lib/ui/compile/parseTemplate.ts
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings