AI Security Review
scanned 4d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. Risky primitives are aligned with a self-hosted AI gateway and messaging CLI: configured provider auth, Discord sending, and audio conversion.
Decision evidence
public snapshot- package.json has a prepare hook that runs git config core.hooksPath git-hooks when inside a git worktree.
- dist/send-pgDAogV8.js can send Discord messages/webhooks and upload media to Discord under runtime options.
- dist/send-pgDAogV8.js invokes ffprobe/ffmpeg for user-requested Discord voice message conversion.
- fased.mjs only bootstraps dist entry and warning filter; no install-time exfiltration observed.
- dist/index.js import-time work loads dotenv, normalizes env, builds CLI, and only parses commands when run as main.
- dist/auth-choice-DT4p5QVd.js handles explicit onboarding secrets/OAuth and stores configured auth profiles, not ambient credential harvesting.
- Discord network endpoints in dist/send-pgDAogV8.js are package-aligned messaging features using configured tokens/targets.
- No evidence of hidden payload download, persistence, destructive behavior, or unauthorized AI-agent control-surface mutation.
Source & flagged code
41 flagged · loading sourcePackage source references child process execution.
dist/paths-CcTInsz7.jsView on unpkg · L8Package source references shell execution.
extensions/acpx/src/runtime-internals/process.tsView on unpkg · L33Package source references dynamic require/import behavior.
dist/query-expansion-aFF5iDSy.jsView on unpkg · L84Package source references weak cryptographic algorithms.
extensions/voice-call/src/webhook-security.tsView on unpkg · L76Source writes installer persistence such as shell profile or service configuration.
dist/completion-cli-BS5owZSW.jsView on unpkg · L1Source appears to send environment or credential material to an external endpoint.
dist/auth-choice-DT4p5QVd.jsView on unpkg · L1Source executes local commands and sends command output to an external endpoint.
dist/send-pgDAogV8.jsView on unpkg · L15A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/send-pgDAogV8.jsView on unpkg · L15Package ships non-JavaScript build or shell helper files.
scripts/start-managed.shView on unpkgPackage contains source files above the static scanner size ceiling.
dist/model-catalog-hjXNofhs.jsView on unpkgHardcoded password in docs/zh-CN/gateway/tailscale.md
docs/zh-CN/gateway/tailscale.mdView on unpkg · L80Hardcoded password in docs/zh-CN/gateway/configuration.md
docs/zh-CN/gateway/configuration.mdView on unpkg · L3027Hardcoded password in docs/zh-CN/channels/bluebubbles.md
docs/zh-CN/channels/bluebubbles.mdView on unpkg · L43Hardcoded password in docs/gateway/tailscale.md
docs/gateway/tailscale.mdView on unpkg · L128Hardcoded password in docs/gateway/configuration-reference.md
docs/gateway/configuration-reference.mdView on unpkg · L629Hardcoded password in docs/gateway/configuration-reference.md
docs/gateway/configuration-reference.mdView on unpkg · L2371Hardcoded password in docs/gateway/configuration-reference.md
docs/gateway/configuration-reference.mdView on unpkg · L2398Hardcoded password in docs/channels/bluebubbles.md
docs/channels/bluebubbles.mdView on unpkg · L51Hardcoded password in extensions/irc/src/client.test.ts
extensions/irc/src/client.test.tsView on unpkg · L39Hardcoded password in extensions/bluebubbles/src/attachments.test.ts
extensions/bluebubbles/src/attachments.test.tsView on unpkg · L90Hardcoded password in extensions/bluebubbles/src/attachments.test.ts
extensions/bluebubbles/src/attachments.test.tsView on unpkg · L100Hardcoded password in extensions/bluebubbles/src/attachments.test.ts
extensions/bluebubbles/src/attachments.test.tsView on unpkg · L132Hardcoded password in extensions/bluebubbles/src/attachments.test.ts
extensions/bluebubbles/src/attachments.test.tsView on unpkg · L154Hardcoded password in extensions/bluebubbles/src/attachments.test.ts
extensions/bluebubbles/src/attachments.test.tsView on unpkg · L260Hardcoded password in extensions/bluebubbles/src/send.test.ts
extensions/bluebubbles/src/send.test.tsView on unpkg · L733Hardcoded password in extensions/bluebubbles/src/monitor.test.ts
extensions/bluebubbles/src/monitor.test.tsView on unpkg · L303Hardcoded password in extensions/bluebubbles/src/monitor.test.ts
extensions/bluebubbles/src/monitor.test.tsView on unpkg · L563Hardcoded password in extensions/bluebubbles/src/monitor.test.ts
extensions/bluebubbles/src/monitor.test.tsView on unpkg · L599Hardcoded password in extensions/bluebubbles/src/monitor.test.ts
extensions/bluebubbles/src/monitor.test.tsView on unpkg · L639Hardcoded password in extensions/bluebubbles/src/monitor.test.ts
extensions/bluebubbles/src/monitor.test.tsView on unpkg · L674Hardcoded password in extensions/bluebubbles/src/monitor.test.ts
extensions/bluebubbles/src/monitor.test.tsView on unpkg · L675Hardcoded password in extensions/bluebubbles/src/monitor.test.ts
extensions/bluebubbles/src/monitor.test.tsView on unpkg · L728Hardcoded password in extensions/bluebubbles/src/monitor.test.ts
extensions/bluebubbles/src/monitor.test.tsView on unpkg · L782Hardcoded password in extensions/bluebubbles/src/monitor.test.ts
extensions/bluebubbles/src/monitor.test.tsView on unpkg · L3088Hardcoded password in extensions/bluebubbles/src/monitor.test.ts
extensions/bluebubbles/src/monitor.test.tsView on unpkg · L3092Hardcoded password in extensions/bluebubbles/src/actions.test.ts
extensions/bluebubbles/src/actions.test.tsView on unpkg · L54Hardcoded password in extensions/bluebubbles/src/actions.test.ts
extensions/bluebubbles/src/actions.test.tsView on unpkg · L95Hardcoded password in extensions/bluebubbles/src/actions.test.ts
extensions/bluebubbles/src/actions.test.tsView on unpkg · L109Hardcoded password in extensions/bluebubbles/src/actions.test.ts
extensions/bluebubbles/src/actions.test.tsView on unpkg · L128Hardcoded password in extensions/bluebubbles/src/actions.test.ts
extensions/bluebubbles/src/actions.test.tsView on unpkg · L207Hardcoded password in extensions/bluebubbles/src/actions.test.ts
extensions/bluebubbles/src/actions.test.tsView on unpkg · L226