AI Security Review
scanned 4h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No malicious install-time attack surface is established. At runtime, a granted first-party channel capability can create a package-controlled CLI shim and broker a short-lived token to the fixed vendor CLI.
Decision evidence
public snapshot- `src/channel-capability.ts` materializes executable `lark-cli` pointer shims in a runtime state directory.
- `src/bin/channel-exec.ts` mints a channel token and launches a fixed vendor CLI with inherited stdio.
- `src/internal/attachment-input.ts` fetches user-provided HTTP(S) attachment URLs into a local attachment root.
- `package.json` has no `preinstall`, `install`, `postinstall`, `prepare`, or `bin` declaration.
- No import-time execution is exposed by `src/index.ts`; the executable entry runs only as a program.
- The channel shim is capability-gated and fixes the target binary to `lark-cli`, preventing arbitrary token-to-program redirection.
- `src/channel-token.ts` sends token requests only to the configured `PRLL_API_URL`; no hard-coded third-party endpoint was found.
- Attachment downloads reject non-HTTP(S) schemes, enforce limits, and constrain writes to the attachment root.
- No eval/vm usage, arbitrary remote-code loading, credential exfiltration, or destructive broad filesystem behavior was found.
Source & flagged code
3 flagged · loading source`src/channel-capability.ts` materializes executable `lark-cli` pointer shims in a runtime state directory.
src/channel-capability.tsView on unpkg`src/bin/channel-exec.ts` mints a channel token and launches a fixed vendor CLI with inherited stdio.
src/bin/channel-exec.tsView on unpkg`src/internal/attachment-input.ts` fetches user-provided HTTP(S) attachment URLs into a local attachment root.
src/internal/attachment-input.tsView on unpkg