AI Security Review
scanned 3d ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Decision evidence
public snapshot- `dist/chunk-WZGKQ4WN.js` registers `shell_exec` for agent responses.
- `shell_exec` passes supplied commands to `execSync`/`sh -c`.
- The tool allows project file writes and scaffold cleanup.
- Tool code includes remote installer command URLs.
- `package.json` has no preinstall/install/postinstall hook.
- `dist/cli.js` loads agent execution only after user CLI invocation.
- `dist/login-2RCW33BA.js` posts credentials only to a user-entered API URL.
- `dist/init-KYDTSZYF.js` writes only explicit `.intellicode/` setup files.
Source & flagged code
4 flagged · loading sourcePackage source references child process execution.
dist/update-3RA2HA44.jsView on unpkg · L4Package source invokes a package manager install command at runtime.
dist/update-3RA2HA44.jsView on unpkg · L19Package source references weak cryptographic algorithms.
dist/knowledge-VZYH555V.jsView on unpkg · L80This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/chunk-WZGKQ4WN.jsView on unpkg