AI Security Review
scanned 5h ago · by lpm-firewall-aiA normal CLI action can launch a detached unauthenticated daemon. Its HTTP API exposes browser control and page-context JavaScript evaluation; the server is not explicitly bound to loopback.
Decision evidence
public snapshot- `src/daemon.ts` starts an unauthenticated HTTP server with `listen(port)` and no loopback host binding.
- `src/daemon.ts` exposes POST `/sessions/:name/eval`, forwarding request data to browser evaluation.
- `src/browser.ts` executes supplied script via `page.evaluate` and `eval(script)`.
- `src/daemon-process.ts` automatically launches the detached daemon for normal CLI client commands.
- The daemon can navigate Playwright to arbitrary URLs, creating a network-reachable browser-control surface.
- `package.json` contains no preinstall, install, or postinstall lifecycle hook.
- All package-controlled HTTP client calls target `http://localhost:${port}`; no remote collector is hardcoded.
- `src/daemon-process.ts` only spawns this package's `daemon-entry.js` and manages its PID/log files.
- No source evidence of credential harvesting, AI-agent config mutation, payload download, or stealth persistence.
Source & flagged code
4 flagged · loading sourceThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/src/daemon-process.jsView on unpkgPackage source references child process execution.
dist/src/daemon-process.jsView on unpkg · L1Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
dist/src/daemon-process.jsView on unpkg · L1Package source references a known benign dynamic code generation pattern.
dist/src/daemon-client.jsView on unpkg · L78