AI Security Review
scanned 2h ago · by lpm-firewall-aiThe runtime server exposes unauthenticated local API routes. Its permissive CORS and private-network response header permit an arbitrary web origin to call those routes, including terminal creation.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
A victim visits a malicious website while an Ottocode server using this app is running on localhost.
Impact
Remote website can execute commands with the local server user's privileges.
Mechanism
Cross-origin localhost API access leading to arbitrary terminal command execution.
Rationale
Source inspection confirms a critical runtime access-control flaw that exposes command execution, but no malicious install-time behavior or covert payload was found. Downgrade to warn as a critical vulnerability rather than publish-blocking malware.
Evidence
package.jsonsrc/index.tssrc/tunnel-auth.tssrc/routes/terminals.tssrc/routes/terminals/service.ts
Decision evidence
public snapshotAI called this Suspicious at 94.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
- `src/index.ts` reflects every Origin while enabling credentials and private-network access.
- `src/tunnel-auth.ts` bypasses authentication for all non-tunneled localhost requests.
- `src/routes/terminals/service.ts` accepts caller-controlled command, args, and cwd to create a terminal.
- A browser-originated request can reach the unauthenticated terminal API when the local server is running.
Evidence against
- `package.json` contains no preinstall, install, or postinstall lifecycle hooks.
- No source evidence shows covert credential harvesting, exfiltration, or stealth persistence.
- Terminal and agent-server features appear aligned with the package's stated HTTP-server purpose.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
1 flagged · loading sourcesrc/runtime/context/references.tsView file
•matchType = previous_version_dangerous_delta
matchedPackage = @ottocode/server@0.1.354
matchedIdentity = npm:QG90dG9jb2RlL3NlcnZlcg:0.1.354
similarity = 0.925
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
src/runtime/context/references.tsView on unpkgFindings
1 High2 Medium5 Low
HighPrevious Version Dangerous Deltasrc/runtime/context/references.ts
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License