AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious or install-time attack surface. Potentially destructive operations are explicit framework CLI migration commands against the caller-configured project database.
Decision evidence
public snapshot- `dist/commands/cli.js` uses shell-backed `spawn` only in explicit development/test/lint CLI commands.
- `dist/commands/runner/barrels.js` runs `bunx barrelsby` only when its named CLI commands are invoked.
- `dist/commands/runner/da-migration.js` dynamically imports project migration files and has an explicit destructive fresh-migration command.
- `dist/commands/runner/migration.js` has an explicit `migrate:fresh` path that drops the project database schema.
- `package.json` has no preinstall, install, postinstall, prepare, or bin entry.
- `dist/index.js` only re-exports modules; it does not call `runCli` or execute commands on import.
- No source references AI-agent control files, credential stores, or remote exfiltration APIs.
- ClickHouse access is an explicitly configured migration feature with a localhost default.
Source & flagged code
5 flagged · loading sourcePackage source references child process execution.
dist/commands/runner/da-migration.jsView on unpkg · L163Package source references dynamic require/import behavior.
dist/commands/runner/da-migration.jsView on unpkg · L31This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/commands/cli.jsView on unpkgPackage source invokes a package manager install command at runtime.
dist/commands/runner/barrels.jsView on unpkg · L19