AI Security Review
scanned 5h ago · by lpm-firewall-aiThe package has an npm prepare lifecycle hook that silently rewrites the active git worktree hooksPath to git-hooks. In a normal install inside a git-tracked project, this can mutate the consumer repository's Git hook configuration without user consent.
Decision evidence
public snapshot- package.json prepare runs during npm lifecycle and executes git config core.hooksPath git-hooks when cwd is inside any git worktree
- npm lifecycle cwd under node_modules can still resolve the consumer repo worktree, mutating that repo's .git/config without opt-in
- prepare hook is not a build step and is unrelated to declared bin fased.mjs runtime
- dist/agent-scope-CJnlJJmZ.js contains first-party agent workspace/bootstrap writers, confirming agent-control capabilities exist in package runtime
- fased.mjs only reexecs supported Node and imports dist/entry.js
- scanner remote decode/eval hint was not confirmed: searched runtime/index/entry bundles found no new Function/eval/http import pattern
- dist/send-D4mEqkCy.js Discord network calls are package-aligned messaging features using discord.com API
Source & flagged code
42 flagged · loading sourcePackage source references child process execution.
dist/gateway-cli-BdCm_i_j.jsView on unpkg · L152Package source references dynamic require/import behavior.
dist/gateway-cli-BdCm_i_j.jsView on unpkg · L3214Source writes installer persistence such as shell profile or service configuration.
dist/gateway-cli-BdCm_i_j.jsView on unpkg · L2Package source references weak cryptographic algorithms.
extensions/voice-call/src/webhook-security.tsView on unpkg · L76A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/onboarding.wallet-DQJIoDsv.jsView on unpkg · L3227Source executes local commands and sends command output to an external endpoint.
dist/send-D4mEqkCy.jsView on unpkg · L14Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
dist/daemon-cli.jsView on unpkg · L38Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.
dist/plugin-sdk/runtime-m6qXwTxP.jsView on unpkg · L12A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/plugin-sdk/runtime-m6qXwTxP.jsView on unpkgPackage ships non-JavaScript build or shell helper files.
scripts/start-managed.shView on unpkgPackage contains source files above the static scanner size ceiling.
dist/pi-embedded-DWKZg9Eu.jsView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/agent-scope-CJnlJJmZ.jsView on unpkgHardcoded password in docs/zh-CN/gateway/tailscale.md
docs/zh-CN/gateway/tailscale.mdView on unpkg · L80Hardcoded password in docs/zh-CN/gateway/configuration.md
docs/zh-CN/gateway/configuration.mdView on unpkg · L3027Hardcoded password in docs/zh-CN/channels/bluebubbles.md
docs/zh-CN/channels/bluebubbles.mdView on unpkg · L43Hardcoded password in docs/gateway/tailscale.md
docs/gateway/tailscale.mdView on unpkg · L128Hardcoded password in docs/gateway/configuration-reference.md
docs/gateway/configuration-reference.mdView on unpkg · L629Hardcoded password in docs/gateway/configuration-reference.md
docs/gateway/configuration-reference.mdView on unpkg · L2371Hardcoded password in docs/gateway/configuration-reference.md
docs/gateway/configuration-reference.mdView on unpkg · L2398Hardcoded password in docs/channels/bluebubbles.md
docs/channels/bluebubbles.mdView on unpkg · L51Hardcoded password in extensions/irc/src/client.test.ts
extensions/irc/src/client.test.tsView on unpkg · L39Hardcoded password in extensions/bluebubbles/src/attachments.test.ts
extensions/bluebubbles/src/attachments.test.tsView on unpkg · L90Hardcoded password in extensions/bluebubbles/src/attachments.test.ts
extensions/bluebubbles/src/attachments.test.tsView on unpkg · L100Hardcoded password in extensions/bluebubbles/src/attachments.test.ts
extensions/bluebubbles/src/attachments.test.tsView on unpkg · L132Hardcoded password in extensions/bluebubbles/src/attachments.test.ts
extensions/bluebubbles/src/attachments.test.tsView on unpkg · L154Hardcoded password in extensions/bluebubbles/src/attachments.test.ts
extensions/bluebubbles/src/attachments.test.tsView on unpkg · L260Hardcoded password in extensions/bluebubbles/src/send.test.ts
extensions/bluebubbles/src/send.test.tsView on unpkg · L733Hardcoded password in extensions/bluebubbles/src/monitor.test.ts
extensions/bluebubbles/src/monitor.test.tsView on unpkg · L303Hardcoded password in extensions/bluebubbles/src/monitor.test.ts
extensions/bluebubbles/src/monitor.test.tsView on unpkg · L563Hardcoded password in extensions/bluebubbles/src/monitor.test.ts
extensions/bluebubbles/src/monitor.test.tsView on unpkg · L599Hardcoded password in extensions/bluebubbles/src/monitor.test.ts
extensions/bluebubbles/src/monitor.test.tsView on unpkg · L639Hardcoded password in extensions/bluebubbles/src/monitor.test.ts
extensions/bluebubbles/src/monitor.test.tsView on unpkg · L674Hardcoded password in extensions/bluebubbles/src/monitor.test.ts
extensions/bluebubbles/src/monitor.test.tsView on unpkg · L675Hardcoded password in extensions/bluebubbles/src/monitor.test.ts
extensions/bluebubbles/src/monitor.test.tsView on unpkg · L728Hardcoded password in extensions/bluebubbles/src/monitor.test.ts
extensions/bluebubbles/src/monitor.test.tsView on unpkg · L782Hardcoded password in extensions/bluebubbles/src/monitor.test.ts
extensions/bluebubbles/src/monitor.test.tsView on unpkg · L3088Hardcoded password in extensions/bluebubbles/src/monitor.test.ts
extensions/bluebubbles/src/monitor.test.tsView on unpkg · L3092Hardcoded password in extensions/bluebubbles/src/actions.test.ts
extensions/bluebubbles/src/actions.test.tsView on unpkg · L54Hardcoded password in extensions/bluebubbles/src/actions.test.ts
extensions/bluebubbles/src/actions.test.tsView on unpkg · L95Hardcoded password in extensions/bluebubbles/src/actions.test.ts
extensions/bluebubbles/src/actions.test.tsView on unpkg · L109