AI Security Review
scanned 2h ago · by lpm-firewall-aiAn authenticated user who runs `cva agent --auto-approve` starts a daemon that accepts CV-Hub-dispatched tasks. Those tasks can direct a fully tool-approved Claude Code subprocess; self-update tasks also reach shell commands with insufficient input validation.
Decision evidence
public snapshot- `dist/commands/agent.js` polls CV-Hub tasks then spawns `claude` with task-controlled prompts.
- `--auto-approve` permits `Bash(*)`, file writes, and web tools for dispatched tasks.
- Self-update interpolates task descriptions into shell `npm install` or `cd ... &&` commands.
- The agent streams Claude output and update output back to CV-Hub task-event APIs.
- `package.json` has no preinstall, install, or postinstall hook; `prepublishOnly` is publish-time only.
- Network use targets configured/default CV-Hub API endpoints and supports the stated task-dispatch product.
- Credential files are stored mode `0600`; prompts explicitly prohibit committing local secrets.
Source & flagged code
5 flagged · loading sourcePackage source references child process execution.
dist/utils/git-credentials.jsView on unpkg · L26Source executes local commands and sends command output to an external endpoint.
dist/commands/setup.jsView on unpkg · L17A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/bundle.cjsView on unpkg · L4062Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
dist/bundle.cjsView on unpkg · L41Package source invokes a package manager install command at runtime.
dist/bundle.cjsView on unpkg · L23107