AI Security Review
scanned 20h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Decision evidence
public snapshot- dist/health.js starts a persistent Alfe cloud WebSocket using user's API key and accepts COMMAND/DESIRED_STATE messages.
- dist/health.js handles cloud commands for daemon.update/runtime.update, running npm install -g or runtime update commands.
- dist/health.js dynamically imports integration handler files registered after cloud-driven reconciliation.
- dist/health.js can add/remove/call MCP servers through local IPC and an MCP bundler.
- dist/health.js installService writes launchd/systemd persistence, but only via explicit CLI install command.
- package.json has no npm lifecycle hooks, so install/import does not auto-run service setup.
- dist/bin/gateway.js exposes user-invoked CLI commands; daemon/start/install are not hidden install-time behavior.
- eval/new Function matches are bundled dependency capability checks, not remote asset decode/execute logic.
- Network use is package-aligned: Alfe API, gateway WebSocket, AI proxy, and Sentry telemetry.
- OpenClaw MCP cleanup preserves non-Alfe user entries and is sentinel-gated.
Source & flagged code
7 flagged · loading sourceSource fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.
dist/health.jsView on unpkg · L3A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/health.jsView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/health.jsView on unpkgPackage source references dynamic require/import behavior.
dist/health.jsView on unpkg · L58Source writes installer persistence such as shell profile or service configuration.
dist/health.jsView on unpkg · L3