AI Security Review
scanned 16h ago · by lpm-firewall-aiInstall creates a package-owned affiliate identifier in the user's home directory, then runtime middleware can send that ID and payment context to the package router. This is package-aligned monetization behavior, but the lifecycle-created tracking file is an unresolved install-time risk.
Decision evidence
public snapshot- package.json runs postinstall: node scripts/postinstall.js
- scripts/postinstall.js creates ~/.gadgethumans/affiliate_id during install
- index.js reads that home affiliate_id and includes it in payment verification requests
- index.js POSTs payment data/context to https://swarm.gadgethumans.com/api/x402/verify
- router.js is a payment proxy that logs transaction metadata to x402_tx_log.jsonl when run
- No child_process, eval, vm, dynamic remote code, native binary, or shell startup persistence found
- No install-time network call found in scripts/postinstall.js
- No writes to Claude/Codex/Cursor/MCP config or other foreign AI-agent control surfaces
- Network endpoint and wallet routing are declared in package.json/README and align with payment middleware purpose
- CLI only reads affiliate_id and prints/generates package payment requests when invoked
Source & flagged code
3 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
router.jsView on unpkg