AI Security Review
scanned 7d ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. The risky primitives are user-invoked features of an AI-agent automation CLI, not install-time or import-time behavior.
Decision evidence
public snapshot- dist/chunk-46LFIFRK.js builds live invocations for claude/codex with shell-capable agents.
- dist/chunk-46LFIFRK.js can temporarily write ~/.claude.json trust state for a worktree during Claude runs.
- dist/cli/index.js has user-invoked schedule/statusline/update commands that write scheduler files, shell rc, or run package-manager update commands.
- package.json has no install/postinstall lifecycle hooks; execution is via CLI bin or import only.
- README.md describes the package purpose as user-configured AI-agent PR automation and documents live-agent risks.
- dist/chunk-46LFIFRK.js passes untrusted task text via stdin/env, disables naive git push for child agent, and commits to afterburner branches.
- Network calls are package-aligned: npm registry update checks, Telegram/ntfy notifications, and user repo/git/gh workflows.
- dist/cli/index.js auth command stores a Claude token only after explicit user action and redacts token output.
Source & flagged code
7 flagged · loading sourceSource executes local commands and sends command output to an external endpoint.
dist/cli/index.jsView on unpkg · L70A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/cli/index.jsView on unpkg · L70Package source references child process execution.
dist/cli/index.jsView on unpkg · L326A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/cli/index.jsView on unpkg · L3084Package source invokes a package manager install command at runtime.
dist/cli/index.jsView on unpkg · L2943Source writes installer persistence such as shell profile or service configuration.
dist/cli/index.jsView on unpkg · L70