AI Security Review
scanned 1h ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. The package is a user-invoked remote-access CLI with powerful but package-aligned SSH, Cloudflare tunnel, broker, and AI helper features.
Decision evidence
public snapshot- src/modes/host.js can start SSH, inject an ephemeral public key into ~/.ssh/authorized_keys, expose services through cloudflared, and auto-install tmux in explicit host mode.
- src/cli.js service install explicitly installs/starts PM2 background host service when user runs `ipingyou service install`.
- src/lib/broker.js sends encrypted client telemetry including username, public IP, OS, CPU, RAM to the selected broker after client connection.
- package.json has no preinstall/install/postinstall hook; only prepublishOnly runs publisher-side help checks.
- src/cli.js dangerous flows are explicit CLI commands or interactive choices, not import-time or install-time behavior.
- src/modes/host.js removes the injected authorized_keys entry and temp keys via cleanup hooks, with symlink checks.
- src/modes/ai.js requires consent, blocks secret paths, prompts before tool execution/file reads, and redacts secrets before Groq calls.
- src/lib/broker.js stores encrypted blobs and uses package-aligned endpoints under the selected broker.
- No evidence of credential harvesting, hidden payload download, reviewer prompt injection, or stealth persistence in inspected source.
Source & flagged code
6 flagged · loading sourceSource writes installer persistence such as shell profile or service configuration.
src/modes/ai.jsView on unpkg · L4Source writes persistence or remote-access backdoor material.
src/modes/host.jsView on unpkg · L15A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
src/modes/host.jsView on unpkg · L15Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
src/modes/client.jsView on unpkg · L14