AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious install-time or import-time attack surface was found. Runtime proxy mode has risky but package-aligned behavior, including AI traffic logging and an enabled injected curl_proxy tool that can fetch arbitrary URLs if the model calls it.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User starts the CLI/server and sends Claude API traffic with tools, or uses authenticated UI endpoints.
Impact
May expose proxied prompts/API keys/responses to local UI/database and allows model-mediated URL fetches from the proxy host, but no covert exfiltration or persistence was found.
Mechanism
runtime AI proxy with logging, model tool injection, arbitrary URL fetch tool, PM2 control, and claude CLI execution
Rationale
Static inspection shows a package-aligned Claude proxy/monitoring server with a risky enabled URL-fetch tool, but no concrete malicious chain or unconsented install-time mutation. Warn rather than block.
Evidence
package.jsondist/server/index.jsdist/server/proxy.jsdist/server/ui-route.jsdist/config/index.jsdist/utils/tool-injector.jsdist/utils/inject-loop.jsdist/tools/curl.tool.jsdist/tools/probe.tool.jslogs/proxy.loglogs/proxy.db
Network endpoints1
ark.cn-beijing.volces.com/api/coding
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- dist/tools/curl.tool.js defines enabled curl_proxy tool that fetches arbitrary supplied URLs via fetch().
- dist/utils/tool-injector.js injects all enabled tools into outbound Claude request bodies when tools exist.
- dist/utils/inject-loop.js executes injected tool calls returned by the upstream model.
- dist/server/proxy.js records full request headers/body, API keys, responses, and exposes request data through UI APIs.
- dist/server/ui-route.js exposes authenticated /ui/api/exec to run claude -p <prompt>.
Evidence against
- package.json has no preinstall/install/postinstall hooks; prepublishOnly is publish-time only.
- dist/server/index.js starts only when directly executed or under PM2, not on import alone.
- dist/config/index.js default upstream is package-aligned for an AI proxy.
- UI config/control/exec mutations use checkAuth in dist/server/ui-route.js.
- No hardcoded attacker endpoint, covert exfiltration, destructive behavior, or AI-agent config mutation found.
Behavioral surface
ChildProcessDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShellWebSocket
HighEntropyStringsMinifiedProtestwareTelemetryUrlStrings
Source & flagged code
2 flagged · loading sourcedist/ui/assets/codeql-DsOJ9woJ.jsView file
1const e=Object.freeze(JSON.parse('{"displayName":"CodeQL","fileTypes":["ql","qll"],"name":"codeql","patterns":[{"include":"#module-member"}],"repository":{"abstract":{"match":"\\\\...
L2: //# sourceMappingURL=codeql-DsOJ9woJ.js.map
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/ui/assets/codeql-DsOJ9woJ.jsView on unpkg · L1dist/server/ui-route.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = @cc-monitoring/proxy-core@0.1.1
matchedIdentity = npm:[redacted]:0.1.1
similarity = 0.975
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/server/ui-route.jsView on unpkgFindings
1 High5 Medium6 Low
HighPrevious Version Dangerous Deltadist/server/ui-route.js
MediumDynamic Requiredist/ui/assets/codeql-DsOJ9woJ.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings