AI Security Review
scanned 7d ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. The risky primitives are package-aligned automation features gated behind explicit CLI/config use, not install-time or import-time behavior.
Decision evidence
public snapshot- package.json has no install/postinstall lifecycle hooks; CLI bins are user-invoked dist/cli/index.js
- dist/cli/index.js defaultSpawnSetupToken runs `claude setup-token` only from auth flow and masks token in console output before storing locally
- dist/chunk-KUBWWM7W.js spawns `claude`/`codex`, git, gh, and configured verify/setup commands as the core AI PR automation feature
- dist/chunk-KUBWWM7W.js sends notifications only to configured ntfy/Telegram endpoints and drops tokens for non-HTTPS ntfy/Telegram APIs
- dist/chunk-KUBWWM7W.js strips ANTHROPIC/OpenAI/Codex API keys from agent env and treats task/issue text as untrusted env data
- dist/cli/index.js update command is explicit user action; registry URL is validated for shell-unsafe characters before shell execution
Source & flagged code
8 flagged · loading sourceSource executes local commands and sends command output to an external endpoint.
dist/cli/index.jsView on unpkg · L70A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/cli/index.jsView on unpkg · L70Package source references child process execution.
dist/cli/index.jsView on unpkg · L326A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/cli/index.jsView on unpkg · L3149Package source invokes a package manager install command at runtime.
dist/cli/index.jsView on unpkg · L3008Source writes installer persistence such as shell profile or service configuration.
dist/cli/index.jsView on unpkg · L70This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/chunk-KUBWWM7W.jsView on unpkg