AI Security Review
scanned 20h ago · by lpm-firewall-aiNo confirmed malicious attack surface. Process execution, project-file generation, package installation, and local HTTP/WebSocket serving are explicit CLI development actions.
Decision evidence
public snapshot- `dist/plugin.js` invokes build/device commands only through explicit CLI subcommands.
- `dist/prebuild.js` imports and executes the project's `signalx.config.*` during explicit prebuild.
- `package.json` has no preinstall, install, postinstall, or prepare hook.
- `dist/index.js` is an export entrypoint; no install-time execution path was found.
- `dist/web-server.js` serves local project assets and binds loopback unless `--host` is explicitly requested.
- `dist/packages.js` limits its package-manager add flow to user-requested `@sigx/lynx-*` modules.
- `dist/device-detect.js` reads Android/JDK environment paths for local tooling, not credentials.
- The bundled Gradle JAR is paired with standard wrapper metadata in `templates/android/gradle/wrapper/gradle-wrapper.properties`.
Source & flagged code
9 flagged · loading sourcePackage source references child process execution.
dist/web-server.jsView on unpkg · L20This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/prebuild.jsView on unpkgPackage source references dynamic require/import behavior.
dist/prebuild.jsView on unpkg · L195Package source invokes a package manager install command at runtime.
dist/dev-server.jsView on unpkg · L730Package ships non-JavaScript build or shell helper files.
templates/android/gradlew.batView on unpkgPackage ships high-entropy non-source blobs.
templates/android/gradle/wrapper/gradle-wrapper.jarView on unpkgPackage ships compressed or archive-like blobs.
templates/android/gradle/wrapper/gradle-wrapper.jarView on unpkgPackage ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.
templates/android/gradle/wrapper/gradle-wrapper.jarView on unpkg