AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. An authenticated user who runs `acc-runner watch` accepts ACC task assignments that start a local coding-agent session. The runner temporarily injects its ACC MCP server configuration, including a user access token, into the task worktree and restores it afterward. It also supports autonomous global package upgrades while watching.
Decision evidence
public snapshot- `dist/mcp-spawn.js` writes token-bearing `.mcp.json` entries and may invoke `npx -y @tokenfactory/acc-mcp-server`.
- `dist/task-runner.js` receives server-assigned tasks, writes MCP configuration in a task worktree, and spawns a coding agent with task prompts.
- `dist/runtime/self-upgrade.js` automatically runs global npm/pnpm installs and re-execs during `watch` unless opted out.
- `dist/secrets/inject.js` retrieves named secret plaintext under the runner JWT for MCP tool arguments.
- `package.json` contains no `preinstall`, `install`, `postinstall`, or other lifecycle hooks.
- `dist/cli.js` activates behavior only through explicit CLI commands such as `login` and `watch`.
- `dist/keychain.js` stores sessions through the OS keychain; no source evidence harvests arbitrary local credentials.
- No `eval`, VM execution, obfuscated payload, or unrelated exfiltration endpoint was found in inspected runtime code.
Source & flagged code
7 flagged · loading sourcePackage source references dynamic require/import behavior.
dist/task-runner.jsView on unpkg · L355Package source references weak cryptographic algorithms.
dist/runtime/singleton.jsView on unpkg · L41A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/login.jsView on unpkg · L66