AI Security Review
scanned 2h ago · by lpm-firewall-aiThe CLI intentionally supports installing JavaScript engine plugins from user-provided local paths or HTTP(S) URLs. The bundle is persisted and dynamically imported, so it executes with the invoking user's privileges when installed or later loaded.
Static reason
No blocking static signals were detected.
Trigger
User runs `roomba engine install <url>` and confirms, or later runs a command that loads an installed engine.
Impact
A malicious engine URL can execute arbitrary code as the user after explicit installation.
Mechanism
User-authorized remote plugin download, persistence, and dynamic ESM import.
Rationale
No concrete malicious behavior is present in the package itself, but its explicit engine-install feature downloads and executes arbitrary user-selected JavaScript. Treat it as a warned dangerous-capability package rather than a publish-blocking malware package.
Evidence
package.jsondist/index.jsdist/engines.jsdist/sources.jsdist/download.jsdist/cache.jsdist/self-update.js
Decision evidence
public snapshotAI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `dist/engines.js` downloads a user-supplied engine bundle, writes it under the user data directory, then dynamically imports it.
- `dist/index.js` exposes this as `roomba engine install <url>` and permits noninteractive confirmation with `--yes`.
- Installed engine bundles are dynamically imported again by normal CLI commands through `loadEngines`.
- `dist/index.js` also provides explicit user-invoked global npm self-update and game-download commands.
Evidence against
- `package.json` has no preinstall, install, postinstall, or other lifecycle hook.
- Remote engine execution requires an explicit CLI command and a confirmation prompt unless the user supplies `--yes`.
- No credential harvesting, environment-secret access, exfiltration, hidden persistence, AI-agent configuration writes, obfuscation, or embedded payload was found.
- Network URLs are command or engine inputs; no hard-coded remote host was found.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Source & flagged code
1 flagged · loading sourcedist/engines.jsView file
57export async function importEngine(bundlePath) {
L58: const mod = await import(pathToFileURL(bundlePath).href);
L59: return validateEngine(mod);
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/engines.jsView on unpkg · L57Findings
3 Medium2 Low
MediumDynamic Requiredist/engines.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem