AI Security Review
scanned 6d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is an AI agent CLI/runtime with powerful user-invoked shell, web, MCP, memory, session, and scheduling features, but inspection did not find unconsented install-time mutation or exfiltration.
Decision evidence
public snapshot- package.json has prepare hook: git config core.hooksPath .githooks
- dist/cli.js can create OS scheduled jobs under ~/.agent/sched and LaunchAgents/crontab
- dist/tools.shell.js exposes user-invoked /bin/sh Shell tool
- dist/mcp.client.js can spawn configured MCP stdio commands
- No preinstall/install/postinstall script in package.json
- prepare hook is VCS/dev-time git hook setup, not npm install-time broad agent hijack
- dist/cli.js main only runs on bin invocation; import side effects are definitions/exports
- CLI prompts for directory trust unless --yes before file-editing workflow
- Shell, MCP, scheduling, web, and memory writes are documented agent features activated by CLI/config/user commands
- Secret handling redacts shell output/env and denies common secret paths in jail defaults
Source & flagged code
3 flagged · loading sourcePackage source references a known benign dynamic code generation pattern.
dist/index.jsView on unpkg · L4183Package source references dynamic require/import behavior.
dist/cli.jsView on unpkg · L507Source writes installer persistence such as shell profile or service configuration.
dist/cli.jsView on unpkg · L22