AI Security Review
scanned 4d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The risky primitives are package-aligned CLI features for installing agent assets, hooks, schedules, task integrations, and optional embeddings.
Decision evidence
public snapshot- bin/roster.js imports child_process and can spawn git, npx, crontab, and codex from explicit subcommands.
- bin/roster.js can install skills/agents and hooks into .claude, .codex, .gemini or user home when the CLI is invoked.
- bin/roster.js has user-configured network integrations for Notion, OpenAI embeddings, and GitHub skill refs.
- package.json has no preinstall/install/postinstall lifecycle scripts; only a roster bin entrypoint.
- README.md discloses the CLI purpose: scaffold/install AI-tool skills, agents, schedules, hooks, Notion tasks, and optional embeddings.
- bin/roster.js network calls are tied to named user commands/config such as task, brain embeddings, skills sync/update; no import-time exfiltration path found.
- Credential/env reads are validation or user-authenticated API use, not collection to an unrelated endpoint.
- File writes are bounded by workspace/tool paths with path traversal checks and prompts for symlink replacement.
Source & flagged code
7 flagged · loading sourceSource appears to send environment or credential material to an external endpoint.
bin/roster.jsView on unpkg · L11A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
bin/roster.jsView on unpkg · L11Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
bin/roster.jsView on unpkg · L5195Source writes installer persistence such as shell profile or service configuration.
bin/roster.jsView on unpkg · L11Package ships non-JavaScript build or shell helper files.
templates/hooks/banner.shView on unpkg