AI Security Review
scanned 1d ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. On explicit CLI/MCP-server launch, the package creates package-owned capability tokens and persists review state under its configured data directory. It can submit user-supplied review material to configured first-party model-provider APIs. No install-time or foreign control-surface mutation is established.
Static reason
One or more suspicious static signals were detected.
Trigger
User launches `cross-review` or invokes its MCP tools.
Impact
Review content may leave the host through configured provider APIs; local MCP capability-token and session files are created.
Mechanism
MCP multi-model review service with local token/session persistence and provider API requests.
Rationale
Source inspection found no npm lifecycle execution, payload staging, foreign agent-config writes, or arbitrary command execution. The package still creates MCP capability state and transmits review requests to model providers during normal runtime, so a warn is appropriate for this capability-bearing MCP service.
Evidence
package.jsondist/src/mcp/server.jsdist/src/core/caller-tokens.jsdist/src/core/session-store.jsdist/src/observability/logger.jsdist/src/peers/deepseek.js<data_dir>/host-tokens.json<data_dir>/sessions/<data_dir>/logs/
Network endpoints3
api.deepseek.comapi.x.ai/v1api.perplexity.ai
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- `dist/src/mcp/server.js` initializes caller tokens when the CLI MCP server starts.
- `dist/src/core/caller-tokens.js` creates `<data_dir>/host-tokens.json` and supports operator-triggered token rotation.
- The runtime sends review content to configured model-provider APIs, including DeepSeek, xAI, and Perplexity.
Evidence against
- `package.json` has no preinstall, install, or postinstall lifecycle hook.
- No eval, VM, dynamic payload loader, shell execution, or foreign AI-agent config mutation was found.
- `caller-tokens.js` uses `spawnSync` only for a time-bounded parent-process snapshot.
- Session, log, cache, and token writes are scoped to the configured `data_dir`.
- The scanner's secret hit is in `dist/scripts/smoke.js` test coverage, not an embedded credential.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
4 flagged · loading sourcedist/scripts/smoke.jsView file
7141patternName = private_key_rsa
severity = critical
line = 7141
matchedText = const tr...ED`;
Critical
Critical Secret
Package contains a critical-looking secret pattern.
dist/scripts/smoke.jsView on unpkg · L71417141patternName = private_key_rsa
severity = critical
line = 7141
matchedText = const tr...ED`;
Critical
7143patternName = private_key_rsa
severity = critical
line = 7143
matchedText = assert.o....");
Critical
CHANGELOG.mdView file
902patternName = private_key_rsa
severity = critical
line = 902
matchedText = `-----BE...hing
Critical
Findings
4 Critical2 Medium4 Low
CriticalCritical Secretdist/scripts/smoke.js
CriticalSecret PatternCHANGELOG.md
CriticalSecret Patterndist/scripts/smoke.js
CriticalSecret Patterndist/scripts/smoke.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings