AI Security Review
scanned 6d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The package is an AI-agent CLI/server with user-invoked shell, plugin, HTTP, mail, Google, LLM, search, and migration capabilities, but inspected code shows consent/config gates and secret/SSRF hardening rather than install-time compromise.
Decision evidence
public snapshot- package.json has postinstall lifecycle spawning scripts/postinstall.cjs
- dist/tools/builtin/bash.js exposes an agent bash tool using execSync
- dist/core/plugins.js can npm install/import user-enabled plugins
- dist/core/managed-usage-summary.js can send instance usage request to LYNOX_MANAGED_CONTROL_PLANE_URL
- scripts/postinstall.cjs only prints a direct-install CLI hint; no file writes, network, or config mutation
- dist/integrations/inbox/notifier.js strips bidi/control chars rather than hiding Trojan Source behavior
- dist/core/transcribe/whisper-cpp.js uses execFile/spawn with fixed binaries, shell:false, safe temp basename, cleanup
- dist/server/http-api.js blocks cloud metadata endpoints for SearXNG checks and requires public HTTPS for migration export
- dist/core/secret-store.js excludes infrastructure secrets from agent-visible resolution
- Network endpoints are product-aligned API/status/OAuth/search/control-plane integrations, mostly env/user configured
Source & flagged code
8 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgPackage source references dynamic require/import behavior.
dist/core/plugins.jsView on unpkg · L77Source reaches cloud instance metadata or link-local credential endpoints.
dist/server/http-api.jsView on unpkg · L7Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.
dist/core/worker-loop.jsView on unpkg · L332Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
dist/integrations/inbox/notifier.jsView on unpkg · L86A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/integrations/inbox/notifier.jsView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/core/transcribe/whisper-cpp.jsView on unpkg