AI Security Review
scanned 4d ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. Network, shell, file, and launchd behavior are aligned with an AI agent platform, web search, sandbox runner, setup command, and WeChat integration, and are user/runtime invoked rather than install-time hidden execution.
Decision evidence
public snapshot- package.json has no install/postinstall hooks; prepublishOnly is publish-time build only.
- bin/tianshu.mjs only resolves packages/server/dist/cli.js relative to the package and imports main().
- plugins/web-search/dist/tools/web-fetch.js implements user-requested HTTP fetch and blocks localhost, private ranges, link-local, and metadata hosts before redirects.
- plugins/workboard/dist/worker/opencode-worker.js runs opencode only for a workboard task inside the configured shell sandbox with a per-task proxy token that is revoked in finally.
- packages/server/dist/setup/start-server.js and setup/launchd.js write .env/plist only during explicit setup/start flows with prompts or service commands.
- plugins/wechat/dist/ilink-media.js reads a caller-supplied file path and uploads encrypted media to Tencent iLink/CDN as part of the WeChat plugin workflow.
Source & flagged code
5 flagged · loading sourcePackage source references dynamic require/import behavior.
bin/tianshu.mjsView on unpkg · L29Package source references weak cryptographic algorithms.
plugins/wechat/dist/ilink-media.jsView on unpkg · L18Source writes installer persistence such as shell profile or service configuration.
packages/server/dist/setup/start-server.jsView on unpkg · L21Source reaches cloud instance metadata or link-local credential endpoints.
plugins/web-search/dist/tools/web-fetch.jsView on unpkg · L1This package version adds a dangerous source file absent from the previous stored version.
plugins/workboard/dist/worker/opencode-worker.jsView on unpkg