AI Security Review
scanned 3h ago · by lpm-firewall-aiNo confirmed malicious install-time attack surface was found. Residual risk remains from obfuscated runtime/license code and bundled native binaries that cannot be fully audited statically from readable source.
Decision evidence
public snapshot- server.js, cli/consumer.js, cli/consumer-deploy.js, cli/designer.js are heavily obfuscated entrypoints.
- server.js imports scripts/verify-integrity.js and exits on integrity failure at runtime.
- src/utils/license-client.js is obfuscated and uses https plus machine/license validation logic.
- Package ships native executables under bin/ including restforge-designer.exe and hwinfo tools.
- package.json preinstall only runs scripts/check-install.js.
- scripts/check-install.js only prints global/local install guidance and exits 0.
- No install-time writes, credential harvesting, or AI-agent control-surface mutation found.
- Network behavior appears package-aligned for license validation and generated app/auth templates.
- generators/cli/fast-track.js package-manager/runtime commands are explicit user-invoked project generation flow.
Source & flagged code
8 flagged · loading sourceTarball package.json differs from the npm registry version manifest for scripts or dependency sets.
package.jsonView on unpkgPackage defines install-time lifecycle scripts.
package.jsonView on unpkgSource contains an obfuscator-style string-array loader that reconstructs and executes hidden code.
server.jsView on unpkg · L2Package source references dynamic require/import behavior.
server.jsView on unpkg · L2Package source references weak cryptographic algorithms.
generators/lib/dbschema-kit/naming.jsView on unpkg · L1Package source invokes a package manager install command at runtime.
generators/cli/fast-track.jsView on unpkg · L272