AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack surface. User-invoked orchestration can run configured AI CLIs and persist Otto-owned workspace configuration under `.otto`.
Decision evidence
public snapshot- `dist/runner.js` explicitly spawns Claude/Codex CLIs during user-invoked stages.
- `dist/extensions-cli.js` writes `.otto` config, policy, tool, and skill-source files on `otto-extensions init`.
- `dist/linear-api.js` reads Linear credentials and calls `https://api.linear.app/graphql` when Linear commands run.
- `dist/headroom-adapter.js` can invoke Python/Headroom; online model download is user/config controlled.
- `package.json` has no preinstall/install/postinstall hook; only publish-time build script.
- `dist/index.js` is exports only; inspection found no import-time execution.
- Subprocesses use argument arrays and explicit agent/tool commands, not hidden shell payloads.
- `dist/external-skills.js` syncs only local sources in this build and imports skills as unverified/inert.
- No credential harvesting or package-controlled exfiltration endpoint was found.
- No writes to foreign AI-agent directories such as `.claude` or `.codex` were found.
Source & flagged code
4 flagged · loading source`dist/runner.js` explicitly spawns Claude/Codex CLIs during user-invoked stages.
dist/runner.jsView on unpkg`dist/extensions-cli.js` writes `.otto` config, policy, tool, and skill-source files on `otto-extensions init`.
dist/extensions-cli.jsView on unpkg`dist/linear-api.js` reads Linear credentials and calls `https://api.linear.app/graphql` when Linear commands run.
dist/linear-api.jsView on unpkg`dist/headroom-adapter.js` can invoke Python/Headroom; online model download is user/config controlled.
dist/headroom-adapter.jsView on unpkg