AI Security Review
scanned 3h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack surface is established, but the package is a powerful first-party AI agent daemon with explicit background installation and runtime agent control. Risk is user-invoked and package-aligned rather than npm install-time hijacking.
Decision evidence
public snapshot- dist/cli/index.js spawns Claude/Codex agent runtimes and injects a local mio wrapper into PATH.
- dist/cli/index.js launches Claude with bypass/skip-permissions flags for persona extraction.
- dist/cli/index.js explicit `install --background --version` writes a LaunchAgent plist and downloads a release binary.
- dist/cli/index.js forwards agent actions to configured Mio server using a machine token.
- dist/runtimes/skills/*.md provide agent skills for messaging, tasks, reminders, attachments, profile updates.
- package.json has no install/preinstall/postinstall hook; only prepublishOnly build script.
- Persistence is behind explicit `mio-agent install --background --version`, not npm install-time execution.
- Login stores a package-owned machine token in macOS Keychain and config under ~/.mio after QR approval.
- Release download is GitHub MioMioOS-owned and verifies manifest plus SHA-256 before installing.
- Network endpoints are package-aligned: default server and MioMioOS GitHub releases.
- No source evidence of broad credential harvesting, destructive behavior, or covert exfiltration.
Source & flagged code
6 flagged · loading sourceSource appears to send environment or credential material to an external endpoint.
dist/cli/index.jsView on unpkg · L1A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/cli/index.jsView on unpkg · L1Package source references child process execution.
dist/cli/index.jsView on unpkg · L189A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/cli/index.jsView on unpkg · L189Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
dist/cli/index.jsView on unpkg · L189Source writes installer persistence such as shell profile or service configuration.
dist/cli/index.jsView on unpkg · L1