AI Security Review
scanned 3h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs coreframe CLI subcommands such as upgrade check-skill-current --apply, upgrade fast-forward-template-files --apply, deploy, or db commands.
Impact
Can modify project files, deploy artifacts, or replace a Coreframe-owned agent skill only when the user invokes those commands.
Mechanism
Explicit CLI project automation and template/agent skill update helpers
Rationale
Static inspection shows no lifecycle hook, stealth persistence, credential exfiltration, or remote payload execution. Because the package can explicitly mutate an agent skill file, the appropriate firewall action is a warning rather than a publish block.
Evidence
package.jsonbin/coreframe.jsdist/coreframe.jsdist/config.jsdist/upgrade/check-skill-current.jsdist/upgrade/ensure-template-remote.jsdist/upgrade/fast-forward-template-files.jsdist/deploy.jsdist/deploy/tauri-release.js.agents/skills/coreframe-upgrade/SKILL.mdtauri/src-tauri/tauri.conf.jsontauri/src-tauri/Cargo.tomltauri/src-tauri/Cargo.lockassets/manifest.json.coreframe/assets/*release-upload/*
Network endpoints1
github.com/airlock-labs/coreframe.git
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- dist/upgrade/check-skill-current.js can overwrite .agents/skills/coreframe-upgrade/SKILL.md when run with --apply.
- dist/upgrade/ensure-template-remote.js adds/fetches https://github.com/airlock-labs/coreframe.git as a template remote on explicit command.
- dist/upgrade/fast-forward-template-files.js can write/delete project files with --apply after comparing template git refs.
- dist/deploy.js and dist/deploy/tauri-release.js run deploy tooling such as pnpm, wrangler, gh, and b2 under explicit deploy/release commands.
Evidence against
- package.json defines no preinstall/install/postinstall lifecycle scripts.
- bin/coreframe.js only builds missing dist locally and dispatches to dist/coreframe.js when the CLI is invoked.
- dist/config.js dynamically imports only the local project coreframe.config.ts.
- No credential harvesting or exfiltration endpoint was found; env vars are passed to project deploy/database tooling.
- Network-capable commands are package-aligned CLI workflows, not install-time behavior.
Behavioral surface
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsMinifiedUrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcedist/config.jsView file
1import{access as e}from"node:fs/promises";import{resolve as t}from"node:path";import{pathToFileURL as n}from"node:url";function r(e){return e}async function i({cwd:r=process.cwd()}...
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/config.jsView on unpkg · L1dist/db/drizzle-kit.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = @coreframe/scripts@0.1.5
matchedIdentity = npm:QGNvcmVmcmFtZS9zY3JpcHRz:0.1.5
similarity = 0.818
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/db/drizzle-kit.jsView on unpkgFindings
1 High4 Medium5 Low
HighPrevious Version Dangerous Deltadist/db/drizzle-kit.js
MediumDynamic Requiredist/config.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License