AI Security Review
scanned 8d ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. The package is a local AI-agent automation CLI whose network, shell, scheduler, and file writes are user-invoked and aligned with its documented purpose.
Decision evidence
public snapshot- dist/cli/index.js exposes user-invoked commands that spawn claude/codex/git/gh and can run configured repo setup/verify commands.
- dist/cli/index.js update command can run npm/pnpm/yarn/bun global install, but only via explicit `afterburner update`.
- dist/cli/index.js statusline/skill/schedule commands write Claude/settings or scheduler artifacts, but are explicit CLI subcommands.
- package.json has no install/postinstall lifecycle hooks; bin is the CLI only.
- dist/cli/index.js `auth` runs `claude setup-token`, redacts stdout, extracts token, and stores it locally; no source path sends that output to a remote endpoint.
- dist/chunk-REVVAUKX.js notifications only send run outcome/title/PR URL to configured ntfy/Telegram endpoints, with HTTPS token guards.
- dist/core/index.js only re-exports library APIs; no import-time command execution observed.
- README.md and afterburner.config.example.ts document dry-run default, live backend opt-in, PR-only branch behavior, and no telemetry.
Source & flagged code
8 flagged · loading sourceSource executes local commands and sends command output to an external endpoint.
dist/cli/index.jsView on unpkg · L70A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/cli/index.jsView on unpkg · L70This package version adds a dangerous source file absent from the previous stored version.
dist/cli/index.jsView on unpkgPackage source references child process execution.
dist/cli/index.jsView on unpkg · L326A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/cli/index.jsView on unpkg · L2851Package source invokes a package manager install command at runtime.
dist/cli/index.jsView on unpkg · L2710Source writes installer persistence such as shell profile or service configuration.
dist/cli/index.jsView on unpkg · L70