AI Security Review
scanned 4h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Decision evidence
public snapshot- dist/cli.js init/configure can merge a tmail MCP block into many IDE/agent config paths under the project.
- dist/cli.js runInit also writes .tmail/AGENT-GATE.md, patches AGENTS.md, and updates .gitignore.
- dist/cli.js stores bind/login API credentials in .tmail/<wallet_slug>/profile/session.json after explicit MCP bind/login tools.
- package.json has no preinstall/install/postinstall lifecycle; only prepublishOnly runs tests/build before publishing.
- Config mutation is explicit user-command behavior: npx @tmail/mcp init/configure, often interactive or --host selected.
- Network calls use user-provided TMAIL_API_URL/api_url and TMail API paths, not hardcoded exfiltration endpoints.
- sanitizeForTool strips api_key, refresh_token, access_token, secrets, passphrase, and private key fields from tool output.
- dist/cli.js rejects owner and bind-invite keys as persisted sub-agent session api_key values.
- execSync is limited to local zstd decompression during user-invoked E2EE attachment decrypt.
Source & flagged code
6 flagged · loading sourcePackage source references dynamic require/import behavior.
dist/index.jsView on unpkg · L36Source appears to send environment or credential material to an external endpoint.
dist/cli.jsView on unpkg · L6A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/cli.jsView on unpkg · L6Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
dist/cli.jsView on unpkg · L6