AI Security Review
scanned 1d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a local companion daemon that can launch user-installed AI CLIs and inject temporary MCP/session context only after explicit runtime use from allowed origins.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall chmod helper; geo-companion start plus allowed web request activates terminal sessions
Impact
Runtime can start local AI CLI sessions for the package workflow, but source shows origin/API allowlists and temporary session-scoped files rather than stealth persistence or exfiltration.
Mechanism
local loopback HTTP/WebSocket daemon with temporary AI CLI workspace setup
Rationale
Static inspection found risky primitives, but they are aligned with the declared local companion purpose and gated to explicit runtime use with loopback binding plus origin/API allowlists. The install hook only repairs node-pty executable permissions and does not perform unconsented agent configuration mutation, exfiltration, persistence, or remote code execution.
Evidence
package.jsonscripts/fix-pty-helper.jsbin/geo-companion.jssrc/config.jssrc/server.jssrc/backend.jssrc/detect.jssrc/terminal.jsREADME.mdnode-pty/prebuilds/*/spawn-helper$GEO_COMPANION_WORKSPACE or os.tmpdir()/geo-companion session dirs.mcp.jsonCLAUDE.mdAGENTS.md.cursor/mcp.json.codex-home/config.toml.codex-home/auth.json
Network endpoints10
127.0.0.1:8765localhost:5173127.0.0.1:5173localhost:5175127.0.0.1:5175pages.trydeepalign.comdashboard.noiseoff.cnlocalhost:3001127.0.0.1:3001tcninreey9r1.feishu.cn/wiki/VJw5wt4JEidRn0kced7c8n9Fn5c?table=tblVibApxcxwKCXe&view=vewqnwl48V
Decision evidence
public snapshotAI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
- package.json has postinstall script: node scripts/fix-pty-helper.js
- src/terminal.js can spawn local claude/codex/cursor via node-pty after user-triggered server flow
- src/terminal.js writes temporary .mcp.json, AGENTS.md/CLAUDE.md, .cursor/mcp.json, and per-session CODEX_HOME files
- src/backend.js posts user-supplied token/brandId to whitelisted API bases
Evidence against
- scripts/fix-pty-helper.js only chmods optional node-pty prebuild spawn-helper and does not mutate agent configs
- src/server.js listens on 127.0.0.1 and requires Origin allowlist for detect/deep-dive/terminal
- src/backend.js restricts validation callbacks to ALLOWED_API_BASES
- src/terminal.js uses per-session temp workspace and removes it on dispose
- No credential harvesting loop, broad file scanning, remote payload loading, or install-time AI-agent control-surface mutation found
- README.md describes the local companion, origin allowlist, backend allowlist, and AI CLI launch behavior
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node scripts/fix-pty-helper.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkgFindings
1 High3 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License