AI Security Review
scanned 3h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. The package is a Flakes CLI that can register a local host agent, persist host credentials/config, connect to flakes.dev, and launch sandbox/worktree processes for assigned work. This is a real agent/runtime capability but is activated by explicit CLI commands, not by npm installation or import.
Decision evidence
public snapshot- dist/commands/up.js creates .flakes/host config/credential files and starts a Herdr host-agent pane on explicit `flakes up`.
- dist/commands/host.js `host run` connects a host runtime to the control plane and can execute provider launches.
- dist/host-runner.js can spawn MatchLock or worktree sandbox processes for remotely assigned leases.
- dist/host-transport.js opens an authenticated WebSocket to /v1/hosts/<id>/stream.
- dist/io.js hardcodes default API origin https://flakes.dev.
- package.json has no preinstall/install/postinstall lifecycle scripts.
- dist/index.js only dispatches CLI commands when invoked as the main module.
- File writes are tied to explicit user commands such as `flakes up`, `host setup`, `harness init`, and artifact/task fetches.
- Credentials are written under user-selected or .config/.flakes paths with 0600-style modes; output redacts known sensitive fields.
- Network requests target the Flakes control-plane API and auth/device-flow routes consistent with package purpose.
- No evidence of credential harvesting, covert exfiltration, destructive behavior, or broad AI-agent control-surface mutation at install time.
Source & flagged code
3 flagged · loading sourcePackage contains a possible secret pattern.
dist/commands/server.jsView on unpkg · L141Package source references dynamic require/import behavior.
dist/commands/harness.jsView on unpkg · L343This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/commands/host.jsView on unpkg