AI Security Review
scanned 3h ago · by lpm-firewall-aiNo confirmed malicious install-time behavior was found, but the local service exposes an unauthenticated raw file endpoint for its own ~/.aishelf data with wildcard CORS. If the service is running and authenticated, a web page could read the stored AIShelf/GitHub token from the local service.
Decision evidence
public snapshot- dist/server.js starts local Express service on port 5314 with CORS Access-Control-Allow-Origin '*'.
- dist/server.js exposes unauthenticated GET /raw/* mapped to AISHELF_ROOT via filesystemService.read.
- dist/server.js stores auth token in ~/.aishelf/storage/config.json and /raw/storage/config.json would be readable while service runs.
- dist/server.js sends bearer token to package backend and GitHub APIs; token is package-aligned but sensitive.
- dist/cli.js can install a native OS service, but only via explicit aishelf service install with confirmation.
- package.json has no preinstall/install/postinstall hook; only prepublishOnly build hook.
- CLI service start/install is user-invoked, not automatic at npm install or import time.
- No obfuscated payloads or prompt/reviewer manipulation found in package files.
- child_process use is limited to starting server/docker checks and git diff in local draft comparison.
- Filesystem writes are under ~/.aishelf storage/registries/drafts or user-selected registry resources.
Source & flagged code
3 flagged · loading sourceA single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/cli.jsView on unpkg · L3729Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
dist/cli.jsView on unpkg · L146