AI Security Review
scanned 3d ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Decision evidence
public snapshot- dist/server/node_modules/@omega/agent/dist/tools.js exposes LLM tools read_file/write_file/run_command in projectPath
- dist/server/node_modules/@omega/agent/dist/executor.js runs agent tasks when tags include agent/self-improve
- dist/server/node_modules/@omega/agent/dist/publisher.js can pnpm publish and git tag/push when autoPublish passes
- dist/cli.js ui command starts bundled server and auto-adds current cwd as project
- package.json has only prepublishOnly; no install-time hook
- dist/cli.js network defaults are localhost HTTP/gRPC or user --api/env overrides
- dist/cli.js child_process starts bundled server or dev server from explicit ui command
- tools.js blocks path traversal and some destructive shell patterns
- Provider API keys are user-entered config, not harvested from env/files
Source & flagged code
4 flagged · loading sourceThis package version adds a dangerous source file absent from the previous stored version.
dist/cli.jsView on unpkgA single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/cli.jsView on unpkg · L540