AI Security Review
scanned 2d ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Decision evidence
public snapshot- `packages/commands/dist/commands.js` exposes explicit `install-skill`.
- `packages/commands/dist/install-skill/install.js` detects Claude, Codex, Antigravity, and Copilot home configs.
- Explicit command creates symlinks in agent skill directories; `--force` can remove an existing target.
- `package.json` has no preinstall, install, or postinstall lifecycle hook.
- `packages/commands/bin.js` only launches the selected CLI command.
- `packages/commands/dist/cli.js` imports only registry-defined local command modules.
- Installer links the bundled `packages/commands/dist/skills/hiver` directory; no remote payload fetch is present.
- No credential harvesting or external exfiltration endpoint was found in reviewed command code.
Source & flagged code
3 flagged · loading sourcePackage source references a known benign dynamic code generation pattern.
packages/inspector-client/dist/assets/index-ByHwJMFL.jsView on unpkg · L45Package contains source files above the static scanner size ceiling.
packages/inspector-client/dist/assets/monacoThemes-B_8aT0rf.jsView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
packages/commands/dist/index.jsView on unpkg