AI Security Review
scanned 3h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. An explicit FireForge mach/build workflow installs a persistent Python resource-monitor guard into Firefox mach virtual environments and supplies a temporary PYTHONPATH fallback. This is a guarded platform-extension lifecycle mutation, not install-time execution or a confirmed malicious payload.
Decision evidence
public snapshot- `dist/src/core/mach-resource-shim.js` writes Python guard modules into discovered Firefox mach virtualenv `site-packages`.
- The same shim prepends a temp `sitecustomize.py` directory to `PYTHONPATH` and monkey-patches Python imports/resource monitors.
- `package.json` has a `prepare` hook, but the shipped `scripts/prepare.mjs` is absent and its ERR_MODULE_NOT_FOUND path exits successfully.
- No `preinstall`, `install`, or `postinstall` hook is declared.
- Network code is Firefox-source download logic restricted to `https://archive.mozilla.org` with SHA-256 verification.
- CLI process execution uses explicit FireForge commands to run Firefox/mach tooling; no credential harvesting or exfiltration was found.
- Dynamic imports in `dist/src/core/firefox-cache.js` and `dist/src/core/firefox.js` load Node filesystem/path modules, not remote code.
- No AI-agent configuration paths or foreign agent-control-surface mutations were found.
Source & flagged code
2 flagged · loading sourcePackage source references dynamic require/import behavior.
dist/src/core/typecheck-shim.jsView on unpkg · L48This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/src/core/firefox-cache.jsView on unpkg