AI Security Review
scanned 4h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No installation-time attack surface is present. Explicit `oas init`, `use`, and `spawn` commands write agent-control artifacts and may run active bundled capability hooks; optional Linear commands call its API with its configured key.
Decision evidence
public snapshot- `bin/oas.mjs` explicitly creates/edits `oas-config.yaml` and capability locks.
- `lib/core.mjs` spawns agent homes and writes generated `AGENTS.md`/`CLAUDE.md` plus skills.
- `lib/core.mjs` executes configured, trusted capability lifecycle hooks during explicit spawn/retire.
- `capabilities/oas-aweb/bin/oas-aweb.mjs` can mint/delete aweb identities through `aw` on lifecycle events.
- `capabilities/oas-linear/bin/oas-linear.mjs` sends the supplied `LINEAR_API_KEY` only to Linear's GraphQL endpoint.
- `package.json` defines no `preinstall`, `install`, `postinstall`, or `prepare` hook.
- No import-time network behavior, credential harvesting, obfuscation, eval/vm, or binary loading found.
- External executable capabilities require lock/trust handling in `lib/core.mjs`; activation occurs through CLI/config actions.
- All observed writes and subprocesses implement documented CLI, workspace, tmux, Git, or configured capability actions.
Source & flagged code
2 flagged · loading sourcePackage source references dynamic require/import behavior.
capabilities/oas-okf/bin/oas-okf.mjsView on unpkg · L160This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
bin/oas.mjsView on unpkg