AI Security Review
scanned 2h ago · by lpm-firewall-aiRunning `agentdraw open` exposes a local HTTP `/api/scene` endpoint that reads and writes caller-supplied filesystem paths. The endpoint defaults to `127.0.0.1:3927` but emits `access-control-allow-origin: *`; its API path handling does not enforce the package's own blocked-directory guard.
Decision evidence
public snapshot- `dist/index.js` has no `preinstall`, `install`, or `postinstall` lifecycle trigger in `package.json`; the executable is activated only through the `agentdraw` CLI.
- When `agentdraw open` runs, `dist/index.js` starts an HTTP server defaulting to `127.0.0.1:3927`; its `/api/scene` GET route reads a path supplied in the `file` query parameter, and its POST route writes a path supplied in JSON `filePath`.
- `dist/index.js` resolves API paths with `path.resolve(cwd, input)` but the `/api/scene` handler does not call its separately defined `assertSafePath` helper. Absolute paths and `../` traversal can therefore target paths outside the project working directory subject to the invoking user's filesystem permissions.
- The HTTP API sets `access-control-allow-origin: *`, allowing a browser origin other than the local AgentDraw UI to make cross-origin requests to the local server once the user has started it.
- The flagged `spawn` uses are bounded to the explicit `open --background` CLI flow, which relaunches the package's own Node entrypoint, and to the explicit browser-opening option. No `eval`, `Function`, shell command execution, remote JavaScript loader, credential collection, or lifecycle persistence was found in `dist/index.js`.
- The high-entropy blobs are `.woff2` font assets, and the large base64-like string in `web-dist/assets/subset-shared.chunk-RWQhCJhi.js` is decoded into a WebAssembly module used by the bundled web application; it is not an unconsumed staged payload carrier.
- The flagged U+202A occurrence in `web-dist/assets/index-Cy2H_O9D.js` is inside a minified bundled Excalidraw web asset. Inspection found no adjacent reviewer-directed text, hidden execution branch, or package-specific loader chain.
- The local server is user-invoked through `agentdraw open`, defaults to loopback, and contains no install-time trigger; exploitation requires the server to be running and an attacker-controlled browser context to reach it.
- The inspected package contains no foreign AI-agent configuration writes, MCP registration, shell startup changes, VCS hook setup, detached daemon beyond the user-selected background server, remote command execution, or data-exfiltration endpoint.
- The bundled web distribution contains product-aligned Excalidraw collaboration/library URL strings, but inspection did not establish that AgentDraw automatically transmits local scene data or credentials to those hosts.
Source & flagged code
6 flagged · loading sourcePackage contains a critical-looking secret pattern.
web-dist/assets/subset-shared.chunk-RWQhCJhi.jsView on unpkg · L22AWS access key ID in web-dist/assets/subset-shared.chunk-RWQhCJhi.js
web-dist/assets/subset-shared.chunk-RWQhCJhi.jsView on unpkg · L22Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
web-dist/assets/index-Cy2H_O9D.jsView on unpkg · L100Google API key in web-dist/assets/index-Cy2H_O9D.js
web-dist/assets/index-Cy2H_O9D.jsView on unpkg · L10Package ships high-entropy non-source blobs.
web-dist/assets/Assistant-Bold-gm-uSS1B.woff2View on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/index.jsView on unpkg