AI Security Review
scanned 3h ago · by lpm-firewall-aiNo install-time attack surface is established. At authenticated runtime, the package can relay explicit code-agent commands to a configured Agent-Native endpoint; this is a dangerous capability but not covert package behavior.
Static reason
No blocking static signals were detected.
Trigger
An authenticated Dispatch action or a linked Telegram user's `/code` command.
Impact
A permitted caller can request create, continue, approval, denial, or stop operations on a remote code-agent host.
Mechanism
Authenticated remote code-agent command relay.
Rationale
Source inspection found no lifecycle execution, credential harvesting, filesystem mutation, or covert exfiltration. Its authenticated remote code-agent relay is a real dangerous dual-use capability, so warn rather than mark clean or block.
Evidence
package.jsonsrc/actions/send-code-agent-remote-command.tssrc/server/lib/dispatch-remote-commands.tssrc/server/lib/dispatch-integrations.tssrc/server/plugins/agent-chat.ts
Network endpoints3
slack.com/api/users.infoslack.com/api/conversations.infoapi.sendgrid.com/v3/mail/send
Decision evidence
public snapshotAI called this Suspicious at 84.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- `src/actions/send-code-agent-remote-command.ts` accepts create/continue/approve/stop code-agent commands.
- `src/server/lib/dispatch-remote-commands.ts` forwards command envelopes to a relay endpoint.
- Telegram `/code` messages can invoke the relay after linked-owner resolution.
- `src/server/plugins/agent-chat.ts` exposes package actions to an agent chat plugin.
Evidence against
- `package.json` has no preinstall, install, postinstall, or uninstall lifecycle hook.
- No production source imports filesystem, child-process, or VM execution APIs.
- Relay action requires `getRequestUserEmail()` and rejects unauthenticated requests.
- Network calls are integration-aligned: Slack identity lookup and SendGrid approval email.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcedist/actions/view-screen.jsView file
19const modulePath = `./${name}.js`;
L20: const module = (await import(/* @vite-ignore */ modulePath));
L21: if (!module.default)
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/actions/view-screen.jsView on unpkg · L19Findings
3 Medium4 Low
MediumDynamic Requiredist/actions/view-screen.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings