AI Security Review
scanned 12d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The high-risk primitives are part of a Claude Code PTY streamer and local updater, activated by explicit CLI/server use rather than install-time compromise.
Decision evidence
public snapshot- dist/seed-claude-config.cjs writes a Claude config path from CLAUDE_CONFIG when run directly, approving onboarding/trust flags for /data/.claude/projects.
- dist/index.cjs spawns the local claude CLI in a PTY with --permission-mode acceptEdits during user-requested sessions.
- dist/cli.cjs includes an updater that downloads release assets and swaps ~/.threadbase/current when update commands or signed update webhook are used.
- package.json postinstall only chmods node-pty prebuild spawn-helper and ignores failures; no package code execution beyond that helper permission fix.
- dist/index.cjs /api/__update requires configured webhook_secret and HMAC signature before spawning cli update --force.
- dist/cli.cjs updater verifies manifest sha256 and size before unpacking downloaded artifacts.
- README.md and CLI behavior align with PTY session management, WebSocket server, pairing, and local Claude Code control.
- No credential harvesting or exfiltration endpoint found; API key writes are local ~/.threadbase/server.yaml or sealed pairing responses.
Source & flagged code
7 flagged · loading sourceInstall-time lifecycle script matches a deterministic static-gate block pattern.
package.jsonView on unpkgPackage defines install-time lifecycle scripts.
package.jsonView on unpkgSource spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
dist/index.cjsView on unpkg · L101Package contains source files above the static scanner size ceiling.
dist/cli.cjsView on unpkgPackage contains an oversized executable-looking CLI entrypoint.
dist/cli.cjsView on unpkg