AI Security Review
scanned 4d ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Decision evidence
public snapshot- dist/commands/init.js writes AGENTS.md and .github/copilot-instructions.md during explicit edgebase init.
- Generated AI guidance instructs agents to use EdgeBase package docs/llms.txt and local config context.
- dist/lib/load-config.js evaluates project edgebase.config.ts via tsx/esbuild for CLI commands.
- package.json has no preinstall/install/postinstall lifecycle hooks.
- dist/index.js only registers commander CLI commands; no install/import-time payload.
- dist/lib/telemetry.js stores opt-in events locally in ~/.edgebase/telemetry.json and says disabled by default.
- Network use is aligned to Cloudflare/worker/local dev endpoints for deploy, backup, plugins, Turnstile, and admin workflows.
- child_process usage invokes wrangler/npm/node/tar/packaging tools in user-run commands, not hidden persistence or exfiltration.
Source & flagged code
6 flagged · loading sourcePackage source references child process execution.
dist/lib/turnstile-provision.jsView on unpkg · L1Package source references dynamic require/import behavior.
dist/lib/dev-sidecar.jsView on unpkg · L284Package source references a known benign dynamic code generation pattern.
dist/lib/dev-sidecar.jsView on unpkg · L284Package source references weak cryptographic algorithms.
dist/commands/dev.jsView on unpkg · L1Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
dist/commands/deploy.jsView on unpkg · L1