AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. Configured first-party plugins may be refreshed from npm at runtime and then dynamically imported into the CLI process. This is a package-owned extension lifecycle risk, not confirmed malware.
Static reason
No blocking static signals were detected.
Trigger
User runs `antseed seller start` or `antseed buyer start` with a configured trusted plugin whose dependency tree is stale or missing.
Impact
A newly fetched trusted plugin can execute with the invoking user's CLI permissions.
Mechanism
Automatic latest-version plugin installation followed by dynamic import.
Rationale
No concrete malicious behavior or install-time foreign control-surface mutation was found. Downgrade to warn because user-invoked runtime automatically fetches and executes first-party plugin code at `@latest`.
Evidence
package.jsondist/plugins/drift.jsdist/plugins/loader.jsdist/plugins/manager.jsdist/cli/commands/seller/start.jsdist/cli/commands/buyer/start.js~/.antseed/plugins/package.json
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- `dist/plugins/drift.js` refreshes selected trusted plugins with `npm install --ignore-scripts <plugin>@latest`.
- `dist/cli/commands/seller/start.js` and `dist/cli/commands/buyer/start.js` invoke refresh before dynamically importing selected plugins.
- `dist/plugins/loader.js` installs missing trusted plugins and imports their on-disk entrypoints.
- `dist/system-proxy/ca-manager.js` can install a local CA, but only via the explicit `system-proxy install-ca` command.
Evidence against
- `package.json` has no `preinstall`, `install`, `postinstall`, or `prepare` hook.
- Plugin installation uses `--ignore-scripts`, limiting lifecycle execution during install.
- No source evidence of credential harvesting, secret exfiltration, or covert remote payload loading by this package.
- System proxy and CA changes are behind explicit CLI subcommands rather than import/install-time execution.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
1 flagged · loading sourcedist/plugins/loader.jsView file
41try {
L42: mod = await import(pathToFileURL(resolved).href);
L43: }
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/plugins/loader.jsView on unpkg · L41Findings
3 Medium5 Low
MediumDynamic Requiredist/plugins/loader.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License