AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. Explicit installer execution provisions a persistent SiteDesk/Claude environment and privileged local services. It weakens Claude permission checks in a package-owned configuration directory and permits scoped Cloudflare token operations.
Decision evidence
public snapshot- `dist/index.js` is an explicit installer that runs privileged package/system setup and deploys services.
- `dist/permissions-seed.js` writes Claude `defaultMode: "bypassPermissions"` plus Cloudflare auto-mode allowances.
- `dist/index.js` invokes that seed under the brand-scoped `~/.sitedesk-code/.claude` directory.
- `dist/index.js` registers Claude marketplaces/plugins and specialist-agent symlinks during installer execution.
- `dist/index.js` configures persistent system services, cron, Cloudflare tooling, and package repositories after invocation.
- `package.json` has no `preinstall`, `install`, or `postinstall` hook; only `prepublishOnly` is declared.
- The high-impact path is reached by explicitly running the `create-sitedesk-code` bin, not package installation.
- `payload/platform/config/brand.json` scopes config to `.sitedesk-code`, rather than the user's global `.claude` directory.
- No `eval`, `Function`, VM loading, or unbounded dynamic module execution was found in installer source.
- No concrete secret harvesting or exfiltration chain was confirmed from inspected installer files.
Source & flagged code
24 flagged · loading sourcePackage contains a possible secret pattern.
payload/platform/scripts/smoke-boot-services.shView on unpkg · L335A single source file combines environment access, network access, and code or shell execution with blocking evidence.
dist/index.jsView on unpkg · L141Source downloads or fetches remote code and executes it.
dist/index.jsView on unpkg · L1A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/index.jsView on unpkg · L1Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
dist/index.jsView on unpkg · L1Package source invokes a package manager install command at runtime.
dist/index.jsView on unpkg · L284Source writes installer persistence such as shell profile or service configuration.
dist/index.jsView on unpkg · L1Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
payload/platform/plugins/admin/mcp/dist/index.jsView on unpkg · L1Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.
payload/platform/plugins/prompt-optimiser/skills/prompt-optimiser/__tests__/restatement-ladder.test.shView on unpkgPackage ships non-JavaScript build or shell helper files.
payload/platform/plugins/prompt-optimiser/skills/prompt-optimiser/__tests__/restatement-ladder.test.shView on unpkgPackage ships high-entropy non-source blobs.
payload/server/public/assets/cormorant-latin-ext-500-normal-AH9qog1s.woff2View on unpkgSource file is highly similar to a previously finalized malicious package; route for source-aware review.
payload/platform/plugins/cloudflare/mcp/dist/lib/cloudflared.jsView on unpkgSource file is highly similar to a previously finalized malicious package; route for source-aware review.
payload/platform/plugins/admin/lib/mcp-spawn-tee/index.jsView on unpkgSource file is highly similar to a previously finalized malicious package; route for source-aware review.
payload/platform/plugins/aeo/lib/mcp-spawn-tee/index.jsView on unpkgSource file is highly similar to a previously finalized malicious package; route for source-aware review.
payload/platform/plugins/browser/lib/mcp-spawn-tee/index.jsView on unpkgSource file is highly similar to a previously finalized malicious package; route for source-aware review.
payload/platform/plugins/connector/lib/mcp-spawn-tee/index.jsView on unpkgHardcoded password in payload/platform/plugins/email/mcp/dist/__tests__/email-delete.test.js
payload/platform/plugins/email/mcp/dist/__tests__/email-delete.test.jsView on unpkg · L52Hardcoded password in payload/platform/plugins/email/mcp/dist/__tests__/email-setup.test.js
payload/platform/plugins/email/mcp/dist/__tests__/email-setup.test.jsView on unpkg · L28Hardcoded password in payload/platform/plugins/email/mcp/dist/__tests__/email-setup.test.js
payload/platform/plugins/email/mcp/dist/__tests__/email-setup.test.jsView on unpkg · L43Hardcoded password in payload/platform/plugins/email/mcp/dist/__tests__/email-setup.test.js
payload/platform/plugins/email/mcp/dist/__tests__/email-setup.test.jsView on unpkg · L57Hardcoded password in payload/platform/plugins/email/mcp/dist/__tests__/email-setup.test.js
payload/platform/plugins/email/mcp/dist/__tests__/email-setup.test.jsView on unpkg · L127Hardcoded password in payload/platform/lib/task-secrets/src/__tests__/redact-secrets.test.ts
payload/platform/lib/task-secrets/src/__tests__/redact-secrets.test.tsView on unpkg · L73