AI Security Review
scanned 3h ago · by lpm-firewall-aiInteractive `cap build` telemetry can include signing-password command options in its outbound metric. No install-time execution or AI-agent control-surface mutation was found.
Decision evidence
public snapshot- `dist/index.js` wraps `build` with telemetry while accepting `--keystorepass` and `--keystorealiaspass`.
- `dist/telemetry.js` serializes all command options via `JSON.stringify(cmd.opts())`.
- `dist/telemetry.js` enables telemetry on first interactive use and sends the collected metric.
- `dist/ipc.js` POSTs telemetry JSON to `metrics-capacitor.outsystems.com`.
- `package.json` has no `preinstall`, `install`, or `postinstall` lifecycle hook.
- `bin/capacitor` only checks the Node version and invokes `dist/index.js`.
- Telemetry transmission is limited to interactive sessions with telemetry enabled.
- Archive assets list as native project templates; no agent-control files or evaluator primitives were found.
Source & flagged code
4 flagged · loading sourcePackage source references dynamic require/import behavior.
dist/ipc.jsView on unpkg · L3Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.
dist/util/cli.jsView on unpkg · L4Package ships compressed or archive-like blobs.
assets/capacitor-cordova-android-plugins.tar.gzView on unpkgPackage ships high-entropy non-source blobs.
assets/ios-pods-template.tar.gzView on unpkg