AI Security Review
scanned 7d ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. High-risk primitives are part of a user-invoked AI quota automation CLI that creates isolated worktrees, runs configured agents, and optionally notifies or updates when commanded.
Decision evidence
public snapshot- dist/cli/index.js imports child_process and exposes commands that spawn claude/codex/git/gh and update via package manager when user invokes them.
- dist/chunk-WJGGV2YJ.js can write Claude config trust state for temporary worktrees and can commit/push/merge generated branches under configured policies.
- dist/chunk-WJGGV2YJ.js sends optional notifications to ntfy.sh or api.telegram.org with env-provided tokens.
- package.json has no install/postinstall/preinstall lifecycle scripts; bin execution is user-invoked.
- dist/cli/index.js defaultSpawnSetupToken runs `claude setup-token`, redacts stdout, extracts token, and stores it locally via writeOAuthToken rather than sending command output externally.
- Network calls are package-aligned: npm update checks, Telegram/ntfy notifications, and configured repo/PR operations.
- Agent prompts explicitly label task, issue, rejected, and merged text as untrusted and pass it through env vars rather than shell interpolation.
- dist/core/index.js only re-exports library APIs and has no obvious import-time execution beyond module loading.
Source & flagged code
8 flagged · loading sourceSource executes local commands and sends command output to an external endpoint.
dist/cli/index.jsView on unpkg · L70A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/cli/index.jsView on unpkg · L70Package source references child process execution.
dist/cli/index.jsView on unpkg · L326A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/cli/index.jsView on unpkg · L3084Package source invokes a package manager install command at runtime.
dist/cli/index.jsView on unpkg · L2943Source writes installer persistence such as shell profile or service configuration.
dist/cli/index.jsView on unpkg · L70This package version adds a dangerous source file absent from the previous stored version.
dist/chunk-WJGGV2YJ.jsView on unpkg