AI Security Review
scanned 3h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Decision evidence
public snapshot- `dist/services/provider-tool-manager.js` fetches and installs third-party AI CLIs in Docker when a provider is prepared.
- `dist/infrastructure/providers/cli/docker-credential-mount-builder.js` conditionally read-only mounts configured Git and AI-provider credentials into agent containers.
- `dist/server/terminal-routes.js` exposes user-triggered provider login sessions that spawn Docker and create local callback proxies.
- `dist/infrastructure/providers/cli/workspace-artifact-service.js` applies agent patches, creates Git commits, and can push worker branches.
- `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
- `dist/index.js` starts only when the CLI entrypoint is invoked; there is no import-time external payload action.
- `.code-ux/container/setup.sh` only prints setup guidance and does not install or execute a hidden payload.
- `dist/server/terminal-routes.js` restricts provider IDs, validates credential-directory segments, and binds callback forwarding to loopback.
Source & flagged code
11 flagged · loading sourcePackage source references child process execution.
dist/server/terminal-routes.jsView on unpkg · L1A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/server/terminal-routes.jsView on unpkg · L442Package source references dynamic require/import behavior.
dist/server/terminal-routes.jsView on unpkg · L279Package source references weak cryptographic algorithms.
dist/server/terminal-routes.jsView on unpkg · L1Package source references shell execution.
dist/repositories/db/deferred-index-builder.jsView on unpkg · L37Source reaches cloud instance metadata or link-local credential endpoints.
dist/services/node-flows/egress-policy-service.jsView on unpkg · L1Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
dashboard/dist/assets/html.worker-BO6WuOEO.jsView on unpkg · L29Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.
.code-ux/container/setup.shView on unpkgPackage ships non-JavaScript build or shell helper files.
.code-ux/container/setup.shView on unpkgPackage contains source files above the static scanner size ceiling.
dashboard/dist/assets/editor.api2-KGjWAjnM.jsView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/infrastructure/providers/cli/workspace-artifact-service.jsView on unpkg