AI Security Review
scanned 4d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established by source inspection. Risky primitives are explicit product features for an AI agent platform: CLI setup, sandboxed workers, web fetch/search, model proxying, and WeChat media integration.
Decision evidence
public snapshot- plugins/workboard/dist/worker/opencode-worker.js can user-run `npm i -g opencode-ai@1.17.13` and `opencode run` inside a configured sandbox worker.
- packages/server/dist/setup/start-server.js and launchd.js can write launchd plists and .env during explicit `tianshu setup/start`.
- plugins/wechat/dist/ilink-media.js reads caller-supplied local files and uploads encrypted media to Tencent iLink/CDN endpoints.
- package.json has no install/postinstall lifecycle; only prepublishOnly build, so install-time execution is not present.
- bin/tianshu.mjs only resolves and imports packages/server/dist/cli.js when the user invokes the CLI.
- plugins/web-search/dist/tools/web-fetch.js blocks localhost, private, link-local, and metadata hosts before fetching and after redirects.
- OpenCode worker is gated by configured workboard agents plus sandbox.shell and host.opencodeProxy capabilities, not automatic import/install behavior.
- launchd persistence requires explicit CLI setup/start flow with prompts and writes a product service plist.
- Network endpoints are package-aligned: model providers, Tencent iLink/CDN, plugin catalog, local health checks, and optional search MCP providers.
Source & flagged code
5 flagged · loading sourcePackage source references dynamic require/import behavior.
bin/tianshu.mjsView on unpkg · L29Package source references weak cryptographic algorithms.
plugins/wechat/dist/ilink-media.jsView on unpkg · L18Source writes installer persistence such as shell profile or service configuration.
packages/server/dist/setup/start-server.jsView on unpkg · L21Source reaches cloud instance metadata or link-local credential endpoints.
plugins/web-search/dist/tools/web-fetch.jsView on unpkg · L1This package version adds a dangerous source file absent from the previous stored version.
plugins/workboard/dist/worker/opencode-worker.jsView on unpkg