AI Security Review
scanned 5d ago · by lpm-firewall-aiNo confirmed malicious attack surface was found by static inspection. The package is a user-invoked AI-agent firewall/proxy CLI with local daemon, routing, web search/fetch tools, and optional update/service commands.
Decision evidence
public snapshot- package.json has no install/postinstall lifecycle hooks; binaries are user-invoked CLI entries.
- dist/bin/tap.js only spawns the command after an explicit '--' and posts parsed JSON frames to local AFW daemon by default.
- dist/bin/tools.js web_fetch blocks localhost, private IP literals, link-local, and metadata hosts before fetching.
- dist/secrets-Bwiz887p.js stores AFW config/secrets under AFW_HOME or ~/.afw with atomic writes, not import-time exfiltration.
- dist/bin/afw.js child_process usage is tied to daemon launch, service management, explicit agent wrapping, lsof probing, and user-triggered update flows.
- Network endpoints are package-aligned model/search/update providers such as OpenAI, Anthropic, Brave, DuckDuckGo, Baidu, and npm registry.
Source & flagged code
6 flagged · loading sourceSource writes installer persistence such as shell profile or service configuration.
dist/bin/afw.jsView on unpkg · L5A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/bin/tap.jsView on unpkg · L20Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
dist/bin/tap.jsView on unpkg · L8Source reaches cloud instance metadata or link-local credential endpoints.
dist/bin/tools.jsView on unpkg · L6