AI Security Review
scanned 3h ago · by lpm-firewall-aiNo confirmed malicious install-time behavior was found, but the runtime service exposes sensitive ~/.aishelf files through unauthenticated /raw/* while binding broadly with permissive CORS. This can expose stored AIShelf/GitHub auth material if the service is reachable.
Decision evidence
public snapshot- dist/server.js exposes /raw/* outside /api auth and reads under ~/.aishelf
- dist/server.js listens on port 5314 without host restriction and sets CORS Access-Control-Allow-Origin: *
- dist/server.js stores auth token in ~/.aishelf/storage/config.json, which is reachable by /raw/storage/config.json
- dist/server.js authenticateAishelfClient only decodes X-Client-Token without signature verification
- dist/server.js can upload local audit logs to https://kml6nyj2ad.execute-api.us-east-1.amazonaws.com/audit-logs/upload when API is invoked
- dist/server.js uses execAsync for git diff with quoted paths derived from local resource paths
- package.json has no preinstall/install/postinstall lifecycle hooks; only prepublishOnly build
- CLI service install is explicit and prompts before native service registration
- Network use is package-aligned: AIShelf backend, GitHub via Octokit/simple-git, localhost health checks
- File writes are mainly under ~/.aishelf storage/drafts/registries/logs and user-invoked service state
- No obfuscation, remote payload loading, credential harvesting loop, or install-time AI-agent control mutation found
- README describes a local AIShelf service exposing localhost:5314 for clients
Source & flagged code
3 flagged · loading sourceA single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/cli.jsView on unpkg · L3724Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
dist/cli.jsView on unpkg · L146