AI Security Review
scanned 4d ago · by lpm-firewall-aiGlobal npm install creates and starts a user-level autostart daemon that exposes no-auth browser automation. The daemon can evaluate JavaScript in attached Chrome tabs and inspect page/network state.
Decision evidence
public snapshot- package.json runs postinstall server/install.js and postuninstall server/uninstall.js
- server/install.js global install writes ~/Library/LaunchAgents/org.browser-relay.service.plist or ~/.config/systemd/user/browser-relay.service
- server/install.js enables/starts the service with launchctl/systemctl during npm lifecycle
- server/relay-server.js exposes unauthenticated browser control APIs including /api/eval, /api/navigate, /api/download/start
- server/relay-server.js captures console/network data and redacts only selected headers
- server/remote-protocol.js and extension/background.js support remote relay via https://relay.linso.ai
- server/install.js skips service registration for non-global installs
- server/install.js only checks existing agent skill copies and does not overwrite .claude/.codex/.cursor skill directories
- relay host defaults to 127.0.0.1
- network capture redacts Authorization/Cookie/Set-Cookie headers
- remote relay appears opt-in via extension configuration/device id
- behavior is broadly aligned with documented browser relay purpose
Source & flagged code
4 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgInstall-time source drops package-supplied AI-agent/MCP control files or instructions.
server/install.jsView on unpkg · L1Source writes installer persistence such as shell profile or service configuration.
server/install.jsView on unpkg · L5