AI Security Review
scanned 19h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Decision evidence
public snapshot- dist/server.js runs Claude/Codex agents with tool access and default permissionMode bypassPermissions unless settings choose ask.
- dist/server.js exposes an orange-tree MCP server to Claude sessions and injects package/system guidelines into agent runs.
- dist/server.js can download/run Newt tunnel binaries for remote mode and persists tunnel credentials under app data.
- dist/bin/orangetree.js starts a detached background daemon and has a user-invoked self-update path that runs npm install -g @orangeworks/orangetree@tag.
- dist/server.js auto-bootstraps an ambient ~/.claude profile when already logged in.
- package.json has no preinstall/install/postinstall lifecycle hooks.
- Main risky behavior is activated by running the orangetree CLI/server or using the UI, not by npm install/import alone.
- Agent config/profile writes are under ~/.orangetree or ~/.orangetree-bots, with ambient ~/.claude only referenced for existing login discovery.
- Remote mode is opt-in via OTREE_REMOTE_* config, token/cloud auth, or pairing; default server binds to 127.0.0.1.
- No source evidence of credential harvesting or exfiltration beyond package-aligned auth/status, tunnel, update, and agent-session features.
Source & flagged code
6 flagged · loading sourcePackage source references child process execution.
dist/bin/orangetree.jsView on unpkg · L87A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/bin/orangetree.jsView on unpkg · L87Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
dist/bin/orangetree.jsView on unpkg · L64Package contains source files above the static scanner size ceiling.
dist/public/mermaid.jsView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/server.jsView on unpkg