AI Security Review
scanned 2h ago · by lpm-firewall-aiInstall-time lifecycle code rewrites the enclosing Git repository hook path. This is an unconsented VCS control-surface mutation during npm lifecycle execution.
Decision evidence
public snapshot- package.json has lifecycle prepare hook: git config core.hooksPath git-hooks
- prepare runs git rev-parse from install cwd and can mutate the enclosing consumer repo config
- No git-hooks directory is shipped, so the hook path rewrite is not a guarded package-owned extension install
- fased.mjs only bootstraps dist entry on explicit CLI execution
- dist/agent-scope-Cb1u7HE7.js network/API code appears tied to configured AI providers and OAuth flows
- Scanner remote-decode hint maps to Buffer.from(base64url) JWT parsing, not confirmed remote code execution
Source & flagged code
41 flagged · loading sourcePackage source references child process execution.
dist/register.start-BbpJgyXr.jsView on unpkg · L10Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
dist/daemon-cli.jsView on unpkg · L38Source writes installer persistence such as shell profile or service configuration.
dist/daemon-cli.jsView on unpkg · L38Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.
dist/agent-scope-Cb1u7HE7.jsView on unpkg · L14Package source references dynamic require/import behavior.
dist/agent-scope-Cb1u7HE7.jsView on unpkg · L350Package source references weak cryptographic algorithms.
extensions/voice-call/src/webhook-security.tsView on unpkg · L76A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/agent-scope-DHrLr5OF.jsView on unpkgPackage ships non-JavaScript build or shell helper files.
scripts/start-managed.shView on unpkgPackage contains source files above the static scanner size ceiling.
dist/plugin-sdk/reply-BlEQIxRB.jsView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/prompt-select-styled-BFIFk4AL.jsView on unpkgHardcoded password in docs/zh-CN/gateway/tailscale.md
docs/zh-CN/gateway/tailscale.mdView on unpkg · L80Hardcoded password in docs/zh-CN/gateway/configuration.md
docs/zh-CN/gateway/configuration.mdView on unpkg · L3027Hardcoded password in docs/zh-CN/channels/bluebubbles.md
docs/zh-CN/channels/bluebubbles.mdView on unpkg · L43Hardcoded password in docs/gateway/tailscale.md
docs/gateway/tailscale.mdView on unpkg · L128Hardcoded password in docs/gateway/configuration-reference.md
docs/gateway/configuration-reference.mdView on unpkg · L629Hardcoded password in docs/gateway/configuration-reference.md
docs/gateway/configuration-reference.mdView on unpkg · L2371Hardcoded password in docs/gateway/configuration-reference.md
docs/gateway/configuration-reference.mdView on unpkg · L2398Hardcoded password in docs/channels/bluebubbles.md
docs/channels/bluebubbles.mdView on unpkg · L51Hardcoded password in extensions/irc/src/client.test.ts
extensions/irc/src/client.test.tsView on unpkg · L39Hardcoded password in extensions/bluebubbles/src/attachments.test.ts
extensions/bluebubbles/src/attachments.test.tsView on unpkg · L90Hardcoded password in extensions/bluebubbles/src/attachments.test.ts
extensions/bluebubbles/src/attachments.test.tsView on unpkg · L100Hardcoded password in extensions/bluebubbles/src/attachments.test.ts
extensions/bluebubbles/src/attachments.test.tsView on unpkg · L132Hardcoded password in extensions/bluebubbles/src/attachments.test.ts
extensions/bluebubbles/src/attachments.test.tsView on unpkg · L154Hardcoded password in extensions/bluebubbles/src/attachments.test.ts
extensions/bluebubbles/src/attachments.test.tsView on unpkg · L260Hardcoded password in extensions/bluebubbles/src/send.test.ts
extensions/bluebubbles/src/send.test.tsView on unpkg · L733Hardcoded password in extensions/bluebubbles/src/monitor.test.ts
extensions/bluebubbles/src/monitor.test.tsView on unpkg · L303Hardcoded password in extensions/bluebubbles/src/monitor.test.ts
extensions/bluebubbles/src/monitor.test.tsView on unpkg · L563Hardcoded password in extensions/bluebubbles/src/monitor.test.ts
extensions/bluebubbles/src/monitor.test.tsView on unpkg · L599Hardcoded password in extensions/bluebubbles/src/monitor.test.ts
extensions/bluebubbles/src/monitor.test.tsView on unpkg · L639Hardcoded password in extensions/bluebubbles/src/monitor.test.ts
extensions/bluebubbles/src/monitor.test.tsView on unpkg · L674Hardcoded password in extensions/bluebubbles/src/monitor.test.ts
extensions/bluebubbles/src/monitor.test.tsView on unpkg · L675Hardcoded password in extensions/bluebubbles/src/monitor.test.ts
extensions/bluebubbles/src/monitor.test.tsView on unpkg · L728Hardcoded password in extensions/bluebubbles/src/monitor.test.ts
extensions/bluebubbles/src/monitor.test.tsView on unpkg · L782Hardcoded password in extensions/bluebubbles/src/monitor.test.ts
extensions/bluebubbles/src/monitor.test.tsView on unpkg · L3088Hardcoded password in extensions/bluebubbles/src/monitor.test.ts
extensions/bluebubbles/src/monitor.test.tsView on unpkg · L3092Hardcoded password in extensions/bluebubbles/src/actions.test.ts
extensions/bluebubbles/src/actions.test.tsView on unpkg · L54Hardcoded password in extensions/bluebubbles/src/actions.test.ts
extensions/bluebubbles/src/actions.test.tsView on unpkg · L95Hardcoded password in extensions/bluebubbles/src/actions.test.ts
extensions/bluebubbles/src/actions.test.tsView on unpkg · L109Hardcoded password in extensions/bluebubbles/src/actions.test.ts
extensions/bluebubbles/src/actions.test.tsView on unpkg · L128Hardcoded password in extensions/bluebubbles/src/actions.test.ts
extensions/bluebubbles/src/actions.test.tsView on unpkg · L207