AI Security Review
scanned 3d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a local Alfe gateway daemon with authenticated cloud control and user-invoked service installation, which matches its declared function.
Decision evidence
public snapshot- dist/health.js opens authenticated WebSocket to configured Alfe gateway and accepts cloud COMMAND messages
- dist/health.js can run daemon.update/runtime.update and integration handlers after daemon start
- dist/health.js install command writes launchd/systemd service files for persistence when user invokes CLI install
- package.json has no install/preinstall/postinstall lifecycle hooks
- dist/bin/gateway.js only dispatches explicit CLI commands; no import-time daemon start
- dist/health.js eval finding is bundled Zod feature detection new Function(''), not payload execution
- Network targets are derived from Alfe config/API token and documented package purpose
- Service persistence is behind alfe-gateway install, not automatic on package install
- No credential harvesting beyond configured Alfe API key used for auth to Alfe endpoints
Source & flagged code
6 flagged · loading sourceSource fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.
dist/health.jsView on unpkg · L3A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/health.jsView on unpkgPackage source references dynamic require/import behavior.
dist/health.jsView on unpkg · L58Source writes installer persistence such as shell profile or service configuration.
dist/health.jsView on unpkg · L3