AI Security Review
scanned 10h ago · by lpm-firewall-aiNo confirmed malicious attack surface. Runtime process execution, VM registry writes, and the gvproxy download occur only through explicit microVM boot/networking operations.
Decision evidence
public snapshot- `dist/index.js` downloads a `gvproxy` release binary during VM networking setup.
- `dist/index.js` uses child processes to launch VM helpers and user-requested guest commands.
- `package.json` has no preinstall, install, or postinstall lifecycle hook.
- `README.md` and `dist/index.js` consistently identify the package as a microVM runtime.
- Network download is limited to the explicit GitHub gvproxy release URL.
- Dynamic requires select matching declared `@machinen/native-*` optional dependencies.
- No credential harvesting, exfiltration, AI-agent config access, eval, or import-time execution found.
Source & flagged code
4 flagged · loading sourceSource combines command execution, command-output handling, and outbound requests; review data flow before blocking.
dist/index.jsView on unpkg · L6640Package source references dynamic require/import behavior.
dist/index.jsView on unpkg · L498