AI Security Review
scanned 3d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is an explicit Kraki CLI/daemon that connects local coding agents to a configured relay and manages user-invoked setup, pairing, daemon startup, and updates.
Decision evidence
public snapshot- dist/daemon-worker.js reads GitHub auth token via `gh auth token` or saved token to authenticate to relay.
- dist/setup.js and dist/config.js can save GitHub/Anthropic tokens under user config during explicit setup/headless setup.
- dist/daemon.js writes a macOS LaunchAgents plist and spawns a daemon when user runs the CLI.
- dist/adapters/copilot.js creates a shadow Copilot config dir and writes empty permissions-config.json.
- dist/update.js can self-update via npm global install or GitHub release binary when `kraki update` is invoked.
- package.json has no preinstall/install/postinstall lifecycle hooks; only bin `kraki` and main entrypoint.
- Risky behavior is user-command/runtime behavior for a remote coding-agent bridge, not install-time mutation.
- Network hosts are package-aligned: relay.kraki.chat, app.kraki.chat, api.github.com, github.com repository releases/auth.
- Copilot permission config write is a package-owned shadow under Kraki home, intended to force permission prompts, not silently alter ~/.copilot permissions.
- No source evidence of credential exfiltration beyond authenticating/pairing with configured relay; no obfuscated payload or hidden remote code execution.
Source & flagged code
7 flagged · loading sourceSource writes installer persistence such as shell profile or service configuration.
dist/daemon.jsView on unpkg · L7Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
dist/update.jsView on unpkg · L9Package source invokes a package manager install command at runtime.
dist/update.jsView on unpkg · L4This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/adapters/copilot.jsView on unpkgPackage metadata claims a different repository identity while copied source loads a runtime dependency bridge.
dist/adapters/copilot.jsView on unpkg · L266