AI Security Review
scanned 12h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. Explicit CLI execution provisions a SiteDesk platform with privileged host changes and branded Claude Code extensions. It also disables Claude permission checks inside that branded configuration and invokes remote vendor bootstrap scripts.
Decision evidence
public snapshot- `dist/index.js` performs a full privileged system installer when the CLI is invoked.
- `dist/index.js` seeds a brand-scoped Claude config and runs `claude plugin marketplace add/install` with `CLAUDE_CONFIG_DIR` set to its own persistent directory.
- `dist/permissions-seed.js` sets Claude `defaultMode` to `bypassPermissions` for the branded agent environment.
- `dist/index.js` downloads and pipes vendor install scripts through shells, including NodeSource, Ollama, and uv installers.
- `dist/index.js` writes services, cron entries, system configuration, and persistent platform files during explicit setup.
- `package.json` has no `preinstall`, `install`, or `postinstall`; `prepublishOnly` is not consumer install-time.
- `package.json` exposes `dist/index.js` only as a user-invoked CLI binary.
- Claude changes are scoped through `CLAUDE_CONFIG_DIR` to the package's branded persistent directory, not the default global `.claude` directory.
- `payload/platform/plugins/cloudflare/mcp/dist/lib/cloudflared.js` uses an existing `cloudflared` binary; no binary download or remote-code loader was found.
- Inspected endpoints are package-aligned dependency, Cloudflare, or loopback service endpoints; no credential harvesting or exfiltration path was found.
Source & flagged code
24 flagged · loading sourcePackage contains a possible secret pattern.
payload/platform/scripts/smoke-boot-services.shView on unpkg · L334A single source file combines environment access, network access, and code or shell execution with blocking evidence.
dist/index.jsView on unpkg · L140Source downloads or fetches remote code and executes it.
dist/index.jsView on unpkg · L1A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/index.jsView on unpkg · L1Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
dist/index.jsView on unpkg · L1Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
dist/index.jsView on unpkg · L1Package source invokes a package manager install command at runtime.
dist/index.jsView on unpkg · L283Source writes installer persistence such as shell profile or service configuration.
dist/index.jsView on unpkg · L1Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.
payload/platform/plugins/prompt-optimiser/skills/prompt-optimiser/__tests__/restatement-ladder.test.shView on unpkgPackage ships non-JavaScript build or shell helper files.
payload/platform/plugins/prompt-optimiser/skills/prompt-optimiser/__tests__/restatement-ladder.test.shView on unpkgPackage ships high-entropy non-source blobs.
payload/server/public/assets/cormorant-latin-ext-500-normal-AH9qog1s.woff2View on unpkgSource file is highly similar to a previously finalized malicious package; route for source-aware review.
payload/platform/plugins/cloudflare/mcp/dist/lib/cloudflared.jsView on unpkgSource file is highly similar to a previously finalized malicious package; route for source-aware review.
payload/platform/plugins/admin/lib/mcp-spawn-tee/index.jsView on unpkgSource file is highly similar to a previously finalized malicious package; route for source-aware review.
payload/platform/plugins/aeo/lib/mcp-spawn-tee/index.jsView on unpkgSource file is highly similar to a previously finalized malicious package; route for source-aware review.
payload/platform/plugins/browser/lib/mcp-spawn-tee/index.jsView on unpkgSource file is highly similar to a previously finalized malicious package; route for source-aware review.
payload/platform/plugins/connector/lib/mcp-spawn-tee/index.jsView on unpkgHardcoded password in payload/platform/plugins/email/mcp/dist/__tests__/email-delete.test.js
payload/platform/plugins/email/mcp/dist/__tests__/email-delete.test.jsView on unpkg · L52Hardcoded password in payload/platform/plugins/email/mcp/dist/__tests__/email-setup.test.js
payload/platform/plugins/email/mcp/dist/__tests__/email-setup.test.jsView on unpkg · L28Hardcoded password in payload/platform/plugins/email/mcp/dist/__tests__/email-setup.test.js
payload/platform/plugins/email/mcp/dist/__tests__/email-setup.test.jsView on unpkg · L43Hardcoded password in payload/platform/plugins/email/mcp/dist/__tests__/email-setup.test.js
payload/platform/plugins/email/mcp/dist/__tests__/email-setup.test.jsView on unpkg · L57Hardcoded password in payload/platform/plugins/email/mcp/dist/__tests__/email-setup.test.js
payload/platform/plugins/email/mcp/dist/__tests__/email-setup.test.jsView on unpkg · L127Hardcoded password in payload/platform/lib/task-secrets/src/__tests__/redact-secrets.test.ts
payload/platform/lib/task-secrets/src/__tests__/redact-secrets.test.tsView on unpkg · L73