AI Security Review
scanned 1h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package activates only when a consumer calls runLint; its normal path validates a target directory and lints agent-related configuration files.
Decision evidence
public snapshot- package.json has no preinstall, install, postinstall, bin, or dependency runtime hooks.
- dist/index.js exports lint APIs and performs no top-level network, process, or filesystem action beyond module setup.
- runLint validates a caller-supplied directory, loads lint rules, then reads and analyzes selected project configuration files.
- dist/653.js is lazily loaded only by c12 remote-config extension handling; it is not reached by normal lint execution.
- dist/913.js Unicode controls are escaped JSON5 Unicode-range data, not executable bidi source text.
- All dynamic imports resolve to packaged local dist chunks.
Source & flagged code
3 flagged · loading sourceThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/653.jsView on unpkgPackage source references dynamic require/import behavior.
dist/653.jsView on unpkg · L756Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
dist/913.jsView on unpkg · L21