AI Security Review
scanned 4d ago · by lpm-firewall-aiThe package intentionally provides a local browser automation relay and optional remote relay. This is high-capability but package-aligned, documented, and not confirmed malicious by source inspection.
Decision evidence
public snapshot- package.json runs postinstall and postuninstall lifecycle scripts.
- server/install.js registers launchd/systemd background service only when npm_config_global is true.
- server/relay-server.js exposes no-auth localhost browser control APIs including /api/eval, /api/click, /api/type.
- extension/manifest.json requests debugger/tabs/downloads permissions.
- server/install.js skips service registration on local installs and does not write agent skill/control files.
- server/install.js only reads existing agent skill copies to warn if stale; it does not overwrite them.
- README.md documents localhost binding, service files, debugger permission, and remote-mode risk.
- server/relay-server.js binds to 127.0.0.1 by default via BROWSER_RELAY_HOST.
- Remote control uses user-enabled extension config and bearer/secret capability through relay.linso.ai.
- Network capture redacts Authorization/Cookie/Set-Cookie headers and no credential harvesting/exfil loop was found.
Source & flagged code
4 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgInstall-time source drops package-supplied AI-agent/MCP control files or instructions.
server/install.jsView on unpkg · L1Source writes installer persistence such as shell profile or service configuration.
server/install.jsView on unpkg · L5