AI Security Review
scanned 3h ago · by lpm-firewall-aiWhen the Bizar dashboard is running on its default loopback listener, an unauthenticated local process can create or run a schedule whose command action starts an arbitrary executable with attacker-supplied arguments. This is a local dashboard API authorization flaw, not an npm install-time payload.
Decision evidence
public snapshot- `bizar-dash/src/server/routes/schedules.mjs` exposes unauthenticated schedule creation, modification, and immediate-run endpoints that pass a caller-controlled `action` object to the scheduler.
- `bizar-dash/src/server/schedules-store.mjs` stores `input.action` without restricting action types or command targets.
- `bizar-dash/src/server/schedules-runner.mjs` executes `action.type === "command"` with `spawn(parsed.command, parsed.args, { shell: false, env: process.env })`; the parser accepts a command plus arguments and rejects only shell metacharacters.
- `bizar-dash/src/server/auth.mjs` explicitly treats loopback dashboard requests as trusted; the dashboard is documented in code as binding to `127.0.0.1` by default, so a local process can reach the schedule endpoints without a bearer token while the dashboard is running.
- `cli/service-controller.mjs` can register the dashboard as a user-login service, but `cli/service.mjs` reaches that behavior only after an explicit `bizar service install` command.
- `package.json` contains only `prepublishOnly`; it declares no `preinstall`, `install`, or `postinstall` npm lifecycle hook.
- No inspected path fetches external JavaScript or command text and evaluates it.
- No inspected lifecycle hook automatically writes `.mcp.json`, `CLAUDE.md`, `.claude/`, OpenCode skills, service entries, or other agent control surfaces during npm installation.
- The `bizar` entrypoint dispatches install, update, setup, and service operations only after an explicit CLI argument; package import and npm installation do not invoke them.
- Scheduler webhooks restrict protocols to HTTP(S), reject embedded credentials, and block private, loopback, and `.local` targets by default.
- `bizar-dash/src/server/update-store.mjs` updates only the three hardcoded `@polderlabs` package names and uses `--ignore-scripts`.
Source & flagged code
30 flagged · loading sourcePackage contains a critical-looking secret pattern.
bizar-dash/tests/memory-sync.test.mjsView on unpkg · L107AWS access key ID in bizar-dash/tests/memory-sync.test.mjs
bizar-dash/tests/memory-sync.test.mjsView on unpkg · L107Package source references child process execution.
bizar-dash/tests/plugins-sandbox.test.mjsView on unpkg · L5Package source references dynamic require/import behavior.
bizar-dash/tests/plugins-sandbox.test.mjsView on unpkg · L24Package source references a known benign dynamic code generation pattern.
templates/plan/htmx.min.jsView on unpkg · L1Package source references weak cryptographic algorithms.
bizar-dash/src/server/routes/activity.mjsView on unpkg · L25Source writes installer persistence such as shell profile or service configuration.
cli/service-controller.mjsView on unpkg · L23This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
bizar-dash/src/server/schedules-runner.mjsView on unpkgA single source file combines environment access, network access, and code or shell execution; review context before blocking.
bizar-dash/src/server/schedules-runner.mjsView on unpkg · L18Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
cli/copy.mjsView on unpkg · L80Package source invokes a package manager install command at runtime.
bizar-dash/src/server/update-store.mjsView on unpkg · L77Package ships non-JavaScript build or shell helper files.
config/skills/embedded-esp-idf/scripts/size_check.shView on unpkgTarball package.json differs from the npm registry version manifest for scripts or dependency sets.
package.jsonView on unpkgAWS access key ID in bizar-dash/tests/memory-secrets.test.mjs
bizar-dash/tests/memory-secrets.test.mjsView on unpkg · L19GitHub personal access token in bizar-dash/tests/memory-secrets.test.mjs
bizar-dash/tests/memory-secrets.test.mjsView on unpkg · L25Stripe live secret key in bizar-dash/tests/memory-secrets.test.mjs
bizar-dash/tests/memory-secrets.test.mjsView on unpkg · L31Slack bot token in bizar-dash/tests/memory-secrets.test.mjs
bizar-dash/tests/memory-secrets.test.mjsView on unpkg · L37RSA private key in bizar-dash/tests/memory-secrets.test.mjs
bizar-dash/tests/memory-secrets.test.mjsView on unpkg · L43AWS access key ID in bizar-dash/tests/memory-secrets.test.mjs
bizar-dash/tests/memory-secrets.test.mjsView on unpkg · L92AWS access key ID in bizar-dash/tests/memory-secrets.test.mjs
bizar-dash/tests/memory-secrets.test.mjsView on unpkg · L99AWS access key ID in bizar-dash/tests/memory-store.test.mjs
bizar-dash/tests/memory-store.test.mjsView on unpkg · L219AWS access key ID in bizar-dash/tests/memory-cli.test.mjs
bizar-dash/tests/memory-cli.test.mjsView on unpkg · L231Hardcoded password in bizar-dash/scripts/smoke-bg-retry.mjs
bizar-dash/scripts/smoke-bg-retry.mjsView on unpkg · L45Hardcoded password in bizar-dash/scripts/smoke-bg-retry.mjs
bizar-dash/scripts/smoke-bg-retry.mjsView on unpkg · L53Hardcoded password in bizar-dash/scripts/smoke-bg-retry.mjs
bizar-dash/scripts/smoke-bg-retry.mjsView on unpkg · L65Hardcoded password in plugins/bizar/tests/http-client.test.ts
plugins/bizar/tests/http-client.test.tsView on unpkg · L51Hardcoded password in plugins/bizar/tests/serve.test.ts
plugins/bizar/tests/serve.test.tsView on unpkg · L70Hardcoded password in plugins/bizar/src/serve-info.ts
plugins/bizar/src/serve-info.tsView on unpkg · L24Hardcoded password in packages/sdk/tests/client.test.ts
packages/sdk/tests/client.test.tsView on unpkg · L23