AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. The package intentionally provides a browser automation relay. Risk is from a global-install autostart service plus unauthenticated localhost browser-control API, but this is package-aligned and not a confirmed malicious chain.
Decision evidence
public snapshot- package.json runs postinstall server/install.js and postuninstall server/uninstall.js
- server/install.js registers launchd/systemd user service on global install and starts relay
- server/relay-server.js exposes unauthenticated localhost HTTP/WebSocket browser-control API including /api/eval
- extension/manifest.json requests debugger/tabs/downloads permissions
- extension/background.js supports opt-in remote control via https://relay.linso.ai with capability secret
- server/install.js skips service registration for local installs
- No install-time writes to foreign AI-agent config; it only checks stale skills and prints update advice
- Remote relay requires extension option toggle and generated secret in extension/options.js
- Network header capture redacts authorization/cookie/set-cookie in server/relay-server.js
- No credential file harvesting, destructive actions, or remote payload download/execute found
Source & flagged code
4 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgInstall-time source drops package-supplied AI-agent/MCP control files or instructions.
server/install.jsView on unpkg · L1Source writes installer persistence such as shell profile or service configuration.
server/install.jsView on unpkg · L5