AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. User-started runs can launch an autonomous coding-agent CLI with edit and shell capability. Selected remote directory skills are copied into the project’s Claude skill directory and excluded from git.
Decision evidence
public snapshot- `dist/skills-remote.js` clones configured team skills and writes selected directory skills into `<repo>/.claude/skills/<name>/`.
- `dist/skills-remote.js` appends those generated skill paths to the repository’s `.git/info/exclude`.
- `dist/core/codex-app-server-runner.js` launches Codex with workspace-write, approval policy documented as never, and network access enabled by default.
- `dist/core/claude-cli-runner.js` starts Claude with `acceptEdits`; default workflow tools include Bash.
- `dist/server/server.js` exposes a local agent-run endpoint and a team-skill refresh endpoint; normal bind is loopback.
- `package.json` has only `prepublishOnly`; no install, postinstall, or preinstall hook executes for consumers.
- No package source evidence of credential harvesting, token upload, hidden exfiltration, eval, native loading, or runtime package installation.
- Network use is package-aligned: npm registry update checks, configured git skill repositories, and user-selected agent/forge actions.
- CLI/server activation requires an explicit `cezar` command; the normal server binds to `127.0.0.1`.
- Skill materialization is scoped to the selected project/worktree and occurs during a user-started agent step.
Source & flagged code
7 flagged · loading sourcePackage source references child process execution.
dist/core/claude-cli-runner.jsView on unpkg · L1Package source references dynamic require/import behavior.
web/dist/assets/jsx-Bz0zcwM4.jsView on unpkg · L1A single source file combines environment access, network access, and code or shell execution; review context before blocking.
scripts/dev.mjsView on unpkg · L36Package source invokes a package manager install command at runtime.
dist/core/backend-detect.jsView on unpkg · L40Package ships high-entropy non-source blobs.
web/dist/assets/jetbrains-mono-latin-wght-normal-B9CIFXIH.woff2View on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/index.jsView on unpkg