AI Security Review
scanned 2h ago · by lpm-firewall-aiThe explicit CLI starts a WebSocket TCP bridge and optional link-preview HTTP fetcher. This is an exposed network capability, not an install-time payload or covert collection path.
Static reason
No blocking static signals were detected.
Trigger
User runs `ws-tcp-proxy` / `node ws-tcp-proxy.mjs` and exposes its listening port.
Impact
If publicly exposed without an allowlist, it can be abused to reach permitted TCP destinations; explicitly enabling private unfurl access weakens SSRF protections.
Mechanism
Unauthenticated WebSocket-to-TCP proxy with optional guarded HTTP(S) metadata fetcher.
Rationale
The source is a transparent, package-aligned networking utility with no install-time execution or covert exfiltration. Its open-proxy and configurable SSRF capability remains a real deployment risk if exposed, so warn rather than block.
Evidence
package.jsonws-tcp-proxy.mjsunfurl.mjs
Decision evidence
public snapshotAI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `ws-tcp-proxy.mjs` starts an unauthenticated WebSocket-to-TCP bridge when its bin is run.
- Default empty allowlist permits TCP connections to caller-supplied IPs on IMAP/SMTP ports.
- Optional `/unfurl` fetches caller-supplied HTTP(S) URLs; `UNFURL_ALLOW_PRIVATE=1` disables private-IP blocking.
Evidence against
- `package.json` has no lifecycle scripts; install does not execute source.
- No credential harvesting, filesystem writes, shell execution, eval, dynamic loading, or persistence found.
- `unfurl.mjs` guards private addresses by default, rechecks redirects, and applies timeout, size, and rate limits.
- No hard-coded external endpoint or exfiltration behavior found.
Behavioral surface
EnvironmentVarsNetworkWebSocket
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
5 Medium
MediumNetwork
MediumEnvironment Vars
MediumAi Review Evidence
MediumAi Review Evidence
MediumAi Review Evidence