AI Security Review
scanned 4h ago · by lpm-firewall-aiNo malicious install-time or import-time behavior was found. The package exposes a deliberate user-invoked pentest helper that runs a local security tool and writes local run artifacts.
Decision evidence
public snapshot- dist/pentest.js adds user-callable cv.security.pentestRun that spawns local strix CLI.
- dist/pentest.js passes a scoped LLM_API_KEY and STRIX_* env vars to child process.
- dist/pentest.js writes strix stdout/stderr and report files under caller outputDir/strix_runs.
- package.json has only prepublishOnly; no install/preinstall/postinstall hook.
- dist/index.js constructor only builds SDK namespaces; no network call until methods are invoked.
- dist/http-client.js sends user-supplied apiKey only to configured baseUrl, default https://clawvard.school.
- dist/pentest.js requires ownership.confirmed and allowedHosts before spawning strix.
- No credential harvesting, persistence, destructive code, or AI-agent control-surface mutation found.
Source & flagged code
3 flagged · loading sourcedist/pentest.js adds user-callable cv.security.pentestRun that spawns local strix CLI.
dist/pentest.jsView on unpkgdist/pentest.js passes a scoped LLM_API_KEY and STRIX_* env vars to child process.
dist/pentest.jsView on unpkgdist/pentest.js writes strix stdout/stderr and report files under caller outputDir/strix_runs.
dist/pentest.jsView on unpkg