AI Security Review
scanned 6m ago · by lpm-firewall-aiNo install-time or import-time execution is established. Shell, filesystem, and network actions are explicit deployment-mode behavior for staging and running a user agent; no hidden harvesting, exfiltration, persistence, or foreign AI-agent control-surface writes were found.
Decision evidence
public snapshot- package.json has no preinstall/install/postinstall hooks.
- dist/modes/dev.js only spawns the generated local runner after explicit launch.
- dist/modes/sandbox.js explicitly deploys a bundle, then runs node runner.mjs in a sandbox.
- dist/modes/sandbox-client.js runs npm install only inside the user-requested sandbox bundle.
- dist/deploy.js sends workspace credentials only to configured cloud workspace APIs.
- dist/bundle.js writes declared deployment artifacts to the caller-selected staging directory.
Source & flagged code
4 flagged · loading sourcePackage source references child process execution.
dist/modes/sandbox-client.jsView on unpkg · L39Package source invokes a package manager install command at runtime.
dist/modes/sandbox-client.jsView on unpkg · L32Package source references dynamic require/import behavior.
dist/bundle.test.jsView on unpkg · L9This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/modes/dev.jsView on unpkg