AI Security Review
scanned 1h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a native AI assistant CLI/desktop app with broad user-invoked capabilities, but inspected source gates sensitive actions behind user commands, config, or approval.
Decision evidence
public snapshot- package.json runs postinstall cargo build and copies target/release/mint to bin/mint
- src/bin/index.js spawns bin/mint with user CLI args
- bin/mint is a shipped ELF native executable
- CLI includes user-invoked shell/file/agent/MCP features with approval/config gates
- No install-time code found beyond cargo build/copy; mint-cli has no build.rs
- Network endpoints are package-aligned AI/search/messaging/update APIs in source
- Config writes are to Mint-owned config files and user-invoked setup/onboarding paths
- Shell execution requires explicit approval in crates/mint-core/src/shell.rs
- No credential harvesting or hardcoded exfiltration endpoint found
Source & flagged code
4 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgNative or WebAssembly artifact printable strings contain known collector or webhook infrastructure.
bin/mintView on unpkg