AI Security Review
scanned 3h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is an interactive coding-agent CLI whose privileged tools are activated during explicit runtime use, not installation.
Decision evidence
public snapshot- `package.json` postinstall only prints usage guidance.
- `scripts/postinstall.cjs` has no filesystem, network, or subprocess actions.
- `dist/cli.js` creates `.kitty` configuration only through explicit `kitty init`.
- `dist/chunk-3ZTULS6C.mjs` exposes shell, file, and HTTP tools as runtime agent capabilities.
- Runtime network requests use tool-supplied URLs; no hard-coded exfiltration endpoint was found.
- No import-time payload, credential harvesting, foreign agent-config mutation, or stealth persistence was found.
Source & flagged code
5 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgPackage source references weak cryptographic algorithms.
dist/chunk-NARZ6UPR.mjsView on unpkg · L119Package contains source files above the static scanner size ceiling.
dist/cli.jsView on unpkgPackage contains an oversized executable-looking CLI entrypoint.
dist/cli.jsView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/chunk-3ZTULS6C.mjsView on unpkg