AI Security Review
scanned 4d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The package is a loopback Fleet Console with terminal, git diff, plugin, and update features that explain the scanner signals.
Decision evidence
public snapshot- package.json defines postinstall lifecycle script
- postinstall.mjs can chmod node-pty darwin spawn-helper files and may spawn dist/cli.mjs only for global interactive installs
- dist/cli.mjs contains local console server, terminal PTY, plugin loading, self-update worker, and child_process use
- dist/fleet-plugins/diff/routes.mjs exposes git diff routes that spawn git
- postinstall.mjs is bounded to node-pty helper permissions and skips auto-open unless global install, non-CI, display available, and not opted out
- dist/cli.mjs binds default server to 127.0.0.1 and validates Host/Origin/lock token on sensitive routes
- self-update flow installs only @dotobokuri/fleet-cli and @dotobokuri/fleet-console after explicit /api/v1/updates/apply, with forbidden body version/package override keys
- diff plugin validates git refs with isSafeGitRef, uses shell:false, and checks theater path containment including realpath for untracked files
- external plugin discovery is package-aligned local extension behavior under ~/.fleet/plugins with manifest path containment and API version gating
- Network calls are update/release/provider endpoints aligned with a Fleet Console terminal/AI-agent GUI, not credential exfiltration
Source & flagged code
8 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgPackage source references child process execution.
dist/client/assets/index-D3a51i1X.jsView on unpkg · L155Package source references dynamic require/import behavior.
dist/client/assets/index-D3a51i1X.jsView on unpkg · L10Package source references shell execution.
dist/fleet-plugins/terminal/routes.mjsView on unpkg · L17477Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
dist/cli.mjsView on unpkg · L1Package ships high-entropy non-source blobs.
dist/client/assets/cascadia-code-latin-ext-wght-normal-CeKCfnVW.woff2View on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/fleet-plugins/diff/routes.mjsView on unpkg