AI Security Review
scanned 4d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The package is a local AI work-tracking app with user-invoked daemon, Claude/Codex integration, optional remote tunnel, and self-update features that align with its stated purpose.
Decision evidence
public snapshot- dist/server.js defaults Claude SDK permissionMode to bypassPermissions for agent turns.
- dist/bin/orangetree.js can spawn a detached daemon, browser opener, updater, and Windows shortcuts when the CLI is run.
- dist/server.js can download/run pinned Newt tunnel binaries and make cloud/API requests when remote mode/onboarding is configured.
- package.json has no install/preinstall/postinstall lifecycle hooks; bin/main behavior is user-invoked.
- dist/server.js binds local mode to 127.0.0.1 and gates remote APIs with token/cloud-session auth.
- dist/server.js network endpoints are product-aligned: orangetree cloud, npm update check, GitHub Newt releases with hashes.
- dist/server.js bot profile comments and code avoid copying Claude credentials into app data; config dirs are selected for spawned Claude auth/status/login.
- dist/bin/orangetree.js update path installs the same package name/version tag pattern, not arbitrary remote code.
- No credential harvesting, exfiltration endpoint, destructive install-time behavior, or reviewer/prompt manipulation found.
Source & flagged code
5 flagged · loading sourcePackage source references child process execution.
dist/bin/orangetree.jsView on unpkg · L87A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/bin/orangetree.jsView on unpkg · L87Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
dist/bin/orangetree.jsView on unpkg · L64This package version adds a dangerous source file absent from the previous stored version.
dist/server.jsView on unpkg