AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
One or more suspicious static signals were detected.
Trigger
User installs, configures the plugin, and starts a development server; then sends an overlay request.
Impact
User-authored overlay prompts can cause the configured Claude Code session to modify the active project.
Mechanism
Local WebSocket bridge to a Claude Agent SDK session with automatic permissions.
Rationale
No concrete malicious chain is established, but the package deliberately exposes an auto-permission coding agent through a local browser overlay. Flag as a warning for dangerous capability rather than block as malware.
Evidence
package.jsondist/chunk-XCBM54EQ.jsdist/channel-server.jsdist/overlay.iife.global.jsREADME.mdnode_modules/.cache/pinfix/server.pid
Network endpoints1
ws://localhost:<port>
Decision evidence
public snapshotAI called this Suspicious at 88.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- `dist/channel-server.js` starts Claude Agent SDK with `permissionMode: "auto"` in the project cwd.
- Browser WebSocket messages supply source locations, prompts, and chat content to that agent session.
- `dist/chunk-XCBM54EQ.js` auto-spawns the bundled helper when the configured dev server runs.
Evidence against
- `package.json` has no preinstall, install, or postinstall lifecycle hook.
- The only runtime endpoint is localhost WebSocket transport (`ws://localhost:<port>`).
- No package code shows credential harvesting, remote HTTP upload, eval, or foreign AI-agent config writes.
- Filesystem writes are limited to `node_modules/.cache/pinfix/server.pid` lifecycle cleanup.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemShellWebSocket
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/chunk-XCBM54EQ.jsView file
167// src/server.ts
L168: import { spawn } from "child_process";
L169: import { existsSync, watchFile, unwatchFile, readFileSync as readFileSync2, unlinkSync } from "fs";
High
Child Process
Package source references child process execution.
dist/chunk-XCBM54EQ.jsView on unpkg · L16729Cross-file remote execution chain: dist/chunk-XCBM54EQ.js spawns dist/overlay.iife.global.js; helper contains network access plus dynamic code execution.
L29: const [filePath, query] = id.split("?", 2);
L30: const params = new URLSearchParams(query || "");
L31: if (filePath.endsWith(".vue") && (params.get("lang") === "tsx" || params.get("lang") === "jsx")) {
...
L167: // src/server.ts
L168: import { spawn } from "child_process";
L169: import { existsSync, watchFile, unwatchFile, readFileSync as readFileSync2, unlinkSync } from "fs";
...
L176: function getRuntimeDir() {
L177: return typeof __dirname === "string" ? __dirname : dirname(fileURLToPath(import.meta.url));
L178: }
...
L209: env: {
L210: ...process.env,
L211: PINFIX_PORT: String(options.port),
High
Cross File Remote Execution Context
Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
dist/chunk-XCBM54EQ.jsView on unpkg · L29Findings
3 High1 Medium4 Low
HighChild Processdist/chunk-XCBM54EQ.js
HighShell
HighCross File Remote Execution Contextdist/chunk-XCBM54EQ.js
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings