AI Security Review
scanned 3h ago · by lpm-firewall-aiA browser-originated request can reach a permissively CORS-enabled server API. The terminal route can create arbitrary processes in the selected project runtime without inspected route-level authentication.
Decision evidence
public snapshot- `src/index.ts` reflects every Origin, enables credentials, and sets private-network access.
- `src/routes/terminals/service.ts` accepts request-supplied commands and starts project terminal processes.
- `src/routes/project-context.ts` accepts project selection from request query/headers.
- The exposed terminal API has no route-level authorization in inspected source.
- `package.json` has no preinstall/install/postinstall lifecycle hook.
- Importing `src/index.ts` registers HTTP routes; it does not execute shell commands.
- No source evidence of covert credential harvesting or unsolicited exfiltration.
- Observed provider/share requests are feature-aligned runtime API calls.
Source & flagged code
4 flagged · loading source`src/index.ts` reflects every Origin, enables credentials, and sets private-network access.
src/index.tsView on unpkg`src/routes/terminals/service.ts` accepts request-supplied commands and starts project terminal processes.
src/routes/terminals/service.tsView on unpkg`src/routes/project-context.ts` accepts project selection from request query/headers.
src/routes/project-context.tsView on unpkgThe exposed terminal API has no route-level authorization in inspected source.
package.jsonView on unpkg