AI Security Review
scanned 9d ago · by lpm-firewall-aiNo confirmed malicious attack surface by static inspection. Network, shell, package-manager, and MCP-config behaviors are tied to documented, user-invoked CLI features for somewhere.tech deployment, auth, MCP, and swpx gating.
Decision evidence
public snapshot- package.json has only prepublishOnly build script, no install/postinstall lifecycle execution
- bin/somewhere.js only imports dist/index.js and registers user-invoked CLI commands
- dist/commands/browser.js sends explicit browser test requests to the package API, no import/install-time behavior
- dist/swpx/spawn.js delegates to real npx/npm after verdict checks; shell only on win32 for .cmd shims
- dist/commands/update.js runs npm view/install only when user invokes `somewhere update`
- dist/lib/config.js MCP config writes are explicit CLI/login/init behavior and use stdio bridge without embedded token
Source & flagged code
5 flagged · loading sourcePackage source references dynamic require/import behavior.
dist/local/runtime.jsView on unpkg · L36Package source invokes a package manager install command at runtime.
dist/commands/update.jsView on unpkg · L52This package version adds a dangerous source file absent from the previous stored version.
dist/commands/browser.jsView on unpkg