AI Security Review
scanned 10d ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious install-time attack surface was found, but the package is a powerful AI-platform installer. It provisions services and brand-scoped Claude Code plugins/settings, including bypassPermissions, after the user invokes the CLI.
Decision evidence
public snapshot- dist/index.js bin performs broad user-invoked system setup: apt/brew/npm installs, systemd/launchd units, cron/service config, and payload copy to ~/sitedesk-code.
- dist/index.js seeds brand-scoped Claude config at ~/.sitedesk-code/.claude, registers Claude plugin marketplaces/plugins, and symlinks bundled agents.
- dist/permissions-seed.js writes permissions.defaultMode=bypassPermissions and autoMode allow text into the brand Claude settings.
- dist/index.js downloads/install scripts from deb.nodesource.com, ollama.ai, astral.sh, github.com/cloudflare, Google/Neo4j package repos, and npm/Claude plugin sources.
- package.json has no install/postinstall/prepare lifecycle hook; prepublishOnly is publisher-side only.
- Dangerous behavior is reached by the create-sitedesk-code bin, not automatically on npm install/import.
- Claude writes are under package-owned ~/.sitedesk-code/.claude rather than broad ~/.claude by default.
- Network and shell activity is aligned with an appliance installer and dependency provisioning.
- No credential harvesting or exfiltration to attacker-controlled endpoints found in inspected entrypoint.
- Payload plugins declare first-party SiteDesk/Maxy Claude plugin/MCP functionality rather than hidden obfuscated payloads.
Source & flagged code
24 flagged · loading sourcePackage contains a possible secret pattern.
payload/platform/scripts/smoke-boot-services.shView on unpkg · L317A single source file combines environment access, network access, and code or shell execution with blocking evidence.
dist/index.jsView on unpkg · L134Source downloads or fetches remote code and executes it.
dist/index.jsView on unpkg · L1A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/index.jsView on unpkg · L1Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
dist/index.jsView on unpkg · L1Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
dist/index.jsView on unpkg · L1Package source invokes a package manager install command at runtime.
dist/index.jsView on unpkg · L1066Source file is highly similar to a previously finalized malicious package; route for source-aware review.
dist/index.jsView on unpkgSource writes installer persistence such as shell profile or service configuration.
dist/index.jsView on unpkg · L1Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.
payload/platform/plugins/prompt-optimiser/skills/prompt-optimiser/__tests__/restatement-ladder.test.shView on unpkgPackage ships non-JavaScript build or shell helper files.
payload/platform/plugins/prompt-optimiser/skills/prompt-optimiser/__tests__/restatement-ladder.test.shView on unpkgPackage ships high-entropy non-source blobs.
payload/server/public/assets/cormorant-latin-ext-500-normal-AH9qog1s.woff2View on unpkgSource file is highly similar to a previously finalized malicious package; route for source-aware review.
payload/platform/lib/graph-mcp/dist/index.jsView on unpkgSource file is highly similar to a previously finalized malicious package; route for source-aware review.
payload/platform/plugins/admin/mcp/dist/index.jsView on unpkgSource file is highly similar to a previously finalized malicious package; route for source-aware review.
payload/platform/plugins/cloudflare/mcp/dist/lib/cloudflared.jsView on unpkgSource file is highly similar to a previously finalized malicious package; route for source-aware review.
payload/platform/lib/anthropic-key/dist/index.jsView on unpkgHardcoded password in payload/platform/plugins/email/mcp/dist/__tests__/email-delete.test.js
payload/platform/plugins/email/mcp/dist/__tests__/email-delete.test.jsView on unpkg · L52Hardcoded password in payload/platform/plugins/email/mcp/dist/__tests__/email-setup.test.js
payload/platform/plugins/email/mcp/dist/__tests__/email-setup.test.jsView on unpkg · L28Hardcoded password in payload/platform/plugins/email/mcp/dist/__tests__/email-setup.test.js
payload/platform/plugins/email/mcp/dist/__tests__/email-setup.test.jsView on unpkg · L43Hardcoded password in payload/platform/plugins/email/mcp/dist/__tests__/email-setup.test.js
payload/platform/plugins/email/mcp/dist/__tests__/email-setup.test.jsView on unpkg · L57Hardcoded password in payload/platform/plugins/email/mcp/dist/__tests__/email-setup.test.js
payload/platform/plugins/email/mcp/dist/__tests__/email-setup.test.jsView on unpkg · L127Hardcoded password in payload/platform/lib/task-secrets/src/__tests__/redact-secrets.test.ts
payload/platform/lib/task-secrets/src/__tests__/redact-secrets.test.tsView on unpkg · L73