AI Security Review
scanned 2d ago · by lpm-firewall-aiThe user-launched desktop dashboard starts a local server and exposes a route that installs optional developer tools. The installation logic downloads latest remote artifacts and executes shell commands, including one curl-to-bash path.
Decision evidence
public snapshot- server/server.js exposes POST /api/prereqs/install.
- That route runs shell curl downloads and a curl|bash installer for optional tools.
- server/server.js starts and supervises local AI-agent/deacon child processes after dashboard startup.
- server/server.js can access ~/.claude skills and writes OAuth credentials for its omp integration.
- package.json postinstall only runs electron-rebuild and ignores failure.
- bin/overdeck.mjs launches Electron only when the user invokes the CLI.
- dist-electron/main.js spawns the packaged server and polls 127.0.0.1.
- No inspected lifecycle code exfiltrates credentials or mutates foreign agent controls.
Source & flagged code
11 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgPackage contains a critical-looking secret pattern.
server/public/assets/chunk-EIO257PC-DnXo63uH.jsView on unpkg · L22AWS access key ID in server/public/assets/chunk-EIO257PC-DnXo63uH.js
server/public/assets/chunk-EIO257PC-DnXo63uH.jsView on unpkg · L22Package source references dynamic require/import behavior.
dist-electron/preload.jsView on unpkg · L1Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.
bin/overdeck.mjsView on unpkg · L58Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
server/public/assets/chunk-NNHCCRGN-oonlRMkZ.jsView on unpkg · L46Package contains source files above the static scanner size ceiling.
server/server.jsView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist-electron/main.jsView on unpkgGoogle API key in server/public/assets/chunk-ZUYEQ4TG-B82Qm37l.js
server/public/assets/chunk-ZUYEQ4TG-B82Qm37l.jsView on unpkg · L1