AI Security Review
scanned 5h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package executes user-selected trading strategies and can scaffold a project only when explicitly invoked with CLI flags.
Decision evidence
public snapshot- package.json has no preinstall, install, postinstall, or prepare lifecycle hook.
- build/index.mjs gates scaffolding and npm install behind explicit --init or --docker CLI flags.
- template/project/scripts/fetch_docs.mjs only fetches named GitHub README URLs into scaffolded project docs.
- build/index.mjs loads .env and uses Telegram/Binance features for explicit trading/UI modes; no credential exfiltration path found.
- Dynamic loader imports user-selected strategy/config/module files, consistent with the package CLI’s stated execution role.
- No writes to foreign AI-agent control paths, persistence locations, or hidden payload files found.
Source & flagged code
7 flagged · loading sourceSource spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
build/index.cjsView on unpkg · L13Package source invokes a package manager install command at runtime.
build/index.cjsView on unpkg · L4528Package source references a known benign dynamic code generation pattern.
build/index.cjsView on unpkg · L2970This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
build/index.mjsView on unpkgPackage source references dynamic require/import behavior.
template/project/config/symbol.config.tsView on unpkg · L1