AI Security Review
scanned 3d ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. The package has high-privilege AI-agent CLI capabilities and an install hook, but inspected behavior is aligned with a Letta Code CLI and user-invoked setup/runtime features.
Decision evidence
public snapshot- package.json postinstall runs scripts/postinstall-patches.js and chmods node-pty helper
- scripts/postinstall-patches.js overwrites installed ink/ink-text-input files from bundled vendor copies and may rewrite letta.js shebang
- letta.js can write user settings/keybindings and download fd from GitHub during user-invoked CLI runtime
- package.json bin points to letta.js, a large bundled CLI for Letta agents; no obfuscated install payload found
- postinstall-patches.js only copies local vendor UI patches, checks bun --version, and changes local CLI shebang
- Network use in letta.js is product-aligned: Letta API, GitHub skill/agent/fd downloads, ClawHub skill registry, local WebSocket server
- Credential handling is for LETTA_API_KEY/refresh tokens and local/keychain storage, not broad env harvesting or exfiltration
- skills/initializing-memory scripts only inspect local Claude/Codex session files when explicitly run
- No dependency confusion, destructive install behavior, persistence, or reviewer/prompt manipulation observed
Source & flagged code
5 flagged · loading sourceInstall-time lifecycle script matches a deterministic static-gate block pattern.
package.jsonView on unpkgPackage defines install-time lifecycle scripts.
package.jsonView on unpkgPackage ships non-JavaScript build or shell helper files.
skills/initializing-memory/scripts/list-sessions.shView on unpkgPackage contains source files above the static scanner size ceiling.
letta.jsView on unpkgPackage contains an oversized executable-looking CLI entrypoint.
letta.jsView on unpkg