AI Security Review
scanned 5d ago · by lpm-firewall-aiNo confirmed malicious attack surface; the risky primitives are aligned with a local-first Claude work-tracking/server tool. Execution occurs when the CLI/server is run, not during npm install.
Decision evidence
public snapshot- dist/server.js runs a Claude-agent orchestration UI with default OTREE_PERMISSION_MODE=bypassPermissions.
- dist/server.js can spawn claude/newt, manage local server processes, and perform global npm update when invoked.
- Remote/cloud mode posts to orangetree API and can expose a gated server when enabled by config/env.
- package.json has no install/preinstall/postinstall lifecycle hooks.
- dist/bin/orangetree.js only starts/stops/status/updates the daemon on explicit CLI invocation.
- Claude credential handling uses CLAUDE_CONFIG_DIR and comments/code store profile metadata, not copied credentials.
- Remote API is gated by token/cloud session unless local loopback, with root-jail path checks for file APIs.
- Network endpoints are package-aligned: orangetree cloud, npm registry update check, newt release source.
Source & flagged code
4 flagged · loading sourcePackage source references child process execution.
dist/bin/orangetree.jsView on unpkg · L87A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/bin/orangetree.jsView on unpkg · L87Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
dist/bin/orangetree.jsView on unpkg · L64