AI Security Review
scanned 4h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. Runtime server import registers Dispatch actions. Authenticated Dispatch users or linked Telegram identities can invoke a remote code-agent relay, and workspace-resource actions can publish all-scope agent resources through the package's resource store. No install-time execution or confirmed covert payload chain is present.
Static reason
No blocking static signals were detected.
Trigger
Consumer imports `@jami-studio/dispatch/server`, then an authenticated user or linked Telegram identity invokes registered actions.
Impact
Can create or relay code-agent work and materialize workspace-wide agent instructions; this is an explicit product capability rather than covert package compromise.
Mechanism
Package-owned agent control-plane actions, guarded by application identity and approval/resource flows.
Rationale
The package is not malicious by source evidence, but it intentionally provides high-impact agent and workspace-resource control capabilities at runtime. Flag as warn so consumers assess authentication, relay configuration, and approval policy.
Evidence
package.jsonsrc/server/index.tssrc/actions/send-code-agent-remote-command.tssrc/server/lib/dispatch-remote-commands.tssrc/server/lib/workspace-resources-store.tssrc/server/lib/dispatch-integrations.tssrc/server/lib/vault-store.tssrc/server/lib/dispatch-store.tssrc/actions/create-pylon-ticket.tssrc/actions/view-screen.ts
Network endpoints4
api.sendgrid.com/v3/mail/sendslack.com/api/users.infoslack.com/api/conversations.infoapi.usepylon.com/issues
Decision evidence
public snapshotAI called this Suspicious at 87.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `src/server/index.ts` registers package actions on server import.
- `src/server/lib/workspace-resources-store.ts` materializes all-scope skills/instructions/agents into the workspace resource store.
- `src/actions/send-code-agent-remote-command.ts` sends authenticated user commands to a remote code-agent relay.
- `src/server/lib/dispatch-remote-commands.ts` accepts linked Telegram `/code` commands and relays create/continue/approve/stop requests.
Evidence against
- `package.json` has only `prepack` and `prepublishOnly`; no install-time lifecycle hook.
- No package source use of `child_process`, shell execution, `eval`, or native/binary loading was found.
- Remote-code action requires `getRequestUserEmail()`; Telegram flow resolves a linked owner.
- Outbound requests are integration functions for Slack, SendGrid, Pylon, and the configured application relay; no hidden exfiltration endpoint found.
- No `.claude`, `.cursor`, `.codex`, git-hook, or broad filesystem mutation code was found.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcedist/actions/view-screen.jsView file
19const modulePath = `./${name}.js`;
L20: const module = (await import(/* @vite-ignore */ modulePath));
L21: if (!module.default)
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/actions/view-screen.jsView on unpkg · L19Findings
4 Medium5 Low
MediumDynamic Requiredist/actions/view-screen.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings