AI Security Review
scanned 9d ago · by lpm-firewall-aiNo confirmed malicious attack surface from static source inspection. The package is a Tandem control-panel CLI/server with user-invoked setup, local service management, and configured product API proxies.
Decision evidence
public snapshot- package.json has no install/postinstall hook; only prepublishOnly build is publisher-side
- bin/cli.js only runs user-invoked init/run/doctor/service commands
- lib/setup/env.js writes package-owned Tandem config/state under XDG/AppData/.tandem paths
- lib/setup/services/systemd.js and launchd.js install Tandem services only via explicit service/init command and require root
- bin/setup.js network use proxies configured/local Tandem engine, ACA, KB, and https://search.tandem.ac endpoints
- No writes to foreign AI-agent surfaces such as CLAUDE.md, .mcp.json, Codex/Cursor settings, or shell startup files found
Source & flagged code
5 flagged · loading sourcePackage source references dynamic require/import behavior.
dist/assets/index-D2jasLWI.jsView on unpkg · L2Manifest entrypoint contains risky behavior absent from dist/build output.
bin/cli.jsView on unpkg · L3Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
dist/assets/vendor-vciVI5Np.jsView on unpkg · L156Package ships non-JavaScript build or shell helper files.
bin/service-local.shView on unpkg