AI Security Review
scanned 1h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
One or more suspicious static signals were detected.
Trigger
User adds the plugin and starts a Vite/Webpack/Rspack development or watch server.
Impact
A reachable or untrusted browser client could request AI-agent actions in the developer project; no install-time compromise or exfiltration endpoint is confirmed.
Mechanism
local WebSocket-to-Claude-agent bridge with automatic tool permissions
Rationale
Source inspection does not establish malicious intent or a concrete malware chain. The package nevertheless exposes a high-impact developer-agent control surface without source-visible WebSocket authentication, so it warrants a warning.
Evidence
package.jsondist/chunk-XCBM54EQ.jsdist/channel-server.jsdist/overlay.iife.global.jsREADME.mdnode_modules/.cache/pinfix/server.pid
Network endpoints1
ws://localhost:24816
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `dist/chunk-XCBM54EQ.js` starts a local channel-server during dev/watch mode.
- `dist/channel-server.js` forwards browser chat and source context to Claude Agent SDK with `permissionMode: "auto"`.
- `dist/channel-server.js` creates `WebSocketServer({ port })` without source-level authentication checks.
- The channel server writes `node_modules/.cache/pinfix/server.pid` and runs with the project cwd.
Evidence against
- `package.json` has no preinstall, install, or postinstall hook.
- The spawned executable is the packaged `dist/channel-server.js` via the current Node runtime.
- Observed WebSocket URLs are localhost-only in the plugin/overlay source.
- No HTTP fetch, credential harvesting, shell execution, dynamic code evaluation, or foreign agent-config writes were found.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemShellWebSocket
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/chunk-XCBM54EQ.jsView file
167// src/server.ts
L168: import { spawn } from "child_process";
L169: import { existsSync, watchFile, unwatchFile, readFileSync as readFileSync2, unlinkSync } from "fs";
High
Child Process
Package source references child process execution.
dist/chunk-XCBM54EQ.jsView on unpkg · L16729Cross-file remote execution chain: dist/chunk-XCBM54EQ.js spawns dist/overlay.iife.global.js; helper contains network access plus dynamic code execution.
L29: const [filePath, query] = id.split("?", 2);
L30: const params = new URLSearchParams(query || "");
L31: if (filePath.endsWith(".vue") && (params.get("lang") === "tsx" || params.get("lang") === "jsx")) {
...
L167: // src/server.ts
L168: import { spawn } from "child_process";
L169: import { existsSync, watchFile, unwatchFile, readFileSync as readFileSync2, unlinkSync } from "fs";
...
L176: function getRuntimeDir() {
L177: return typeof __dirname === "string" ? __dirname : dirname(fileURLToPath(import.meta.url));
L178: }
...
L209: env: {
L210: ...process.env,
L211: PINFIX_PORT: String(options.port),
High
Cross File Remote Execution Context
Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
dist/chunk-XCBM54EQ.jsView on unpkg · L29Findings
3 High1 Medium4 Low
HighChild Processdist/chunk-XCBM54EQ.js
HighShell
HighCross File Remote Execution Contextdist/chunk-XCBM54EQ.js
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings