AI Security Review
scanned 2h ago · by lpm-firewall-aiNo automatic install-time attack surface is confirmed. Explicit `storm-prepare` setup can install Lefthook-managed VCS hooks in the current workspace.
Decision evidence
public snapshot- `bin/prepare.cjs` invokes a hook installer when explicitly run.
- `bin/chunk-J4XLLB7C.cjs` runs `pnpm lefthook install` outside CI.
- `bin/pre-install.cjs` can run `npx -y only-allow pnpm` when explicitly invoked.
- `bin/git.cjs` reads GitHub credentials only for release/API commands.
- `package.json` contains no npm lifecycle scripts.
- No AI-agent configuration paths or control-surface writes found.
- No eval, VM, encoded payload, or remote code-loading path found.
- Network lookup is a direct `ungh.cc` user-metadata request; GitHub token use is release-command scoped.
- Hook and shell actions are named CLI commands, not install-time behavior.
Source & flagged code
4 flagged · loading source`bin/prepare.cjs` invokes a hook installer when explicitly run.
bin/prepare.cjsView on unpkg`bin/chunk-J4XLLB7C.cjs` runs `pnpm lefthook install` outside CI.
bin/chunk-J4XLLB7C.cjsView on unpkg`bin/pre-install.cjs` can run `npx -y only-allow pnpm` when explicitly invoked.
bin/pre-install.cjsView on unpkg`bin/git.cjs` reads GitHub credentials only for release/API commands.
bin/git.cjsView on unpkg