AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Decision evidence
public snapshot- `dist/index.js` explicit `install`/`update` commands overwrite project AI control files.
- `dist/index.js` writes `AGENTS.md`, `CLAUDE.md`, `.cursorrules`, `.windsurfrules`, `GEMINI.md`, and `.claude/skills`.
- `dist/index.js` supports user-selected plugin cloning, `npm install`, and dynamic plugin import.
- `dist/index.js` uploads user-selected evidence files with `DEVAUDIT_API_KEY` authorization.
- `package.json` has no preinstall, install, or postinstall lifecycle hook.
- `bin/devaudit.js` only imports the CLI; mutations require registered CLI actions.
- AI-rule mutation is attached to explicit `install`/`update` workflows, not package installation.
- Network calls target declared DevAudit/GitHub service endpoints and use supplied credentials.
Source & flagged code
6 flagged · loading sourceThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
sdlc/src/bin/devaudit-sdlc.jsView on unpkgPackage source references child process execution.
sdlc/src/bin/devaudit-sdlc.jsView on unpkg · L3Package source invokes a package manager install command at runtime.
dist/index.jsView on unpkg · L1782Package source references dynamic require/import behavior.
dist/index.jsView on unpkg · L79Package ships non-JavaScript build or shell helper files.
scripts/upload-evidence.shView on unpkg