AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. When an operator runs `watch`, server-assigned work triggers a privileged Claude/Codex session in a repository worktree. The runner temporarily installs first-party MCP configuration containing task credentials and can autonomously replace its global npm package.
Decision evidence
public snapshot- `dist/engines/claude-code.js` launches Claude with `--dangerously-skip-permissions`.
- `dist/task-runner.js` writes token-bearing `.mcp.json` in an assigned task worktree before agent launch.
- `dist/mcp-spawn.js` can configure `npx -y @tokenfactory/acc-mcp-server` for that MCP entry.
- `dist/runtime/self-upgrade.js` fetches npm latest, globally installs it, then detached re-execs.
- `dist/secrets/inject.js` obtains runtime secret plaintext from the configured ACC API for tool arguments.
- `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
- CLI actions are invoked through the `acc-runner` bin; import-time execution is not established.
- `dist/mcp-spawn.js` restores a prior `.mcp.json` or deletes the temporary file after use.
- `dist/keychain.js` stores session tokens with OS keychain APIs rather than plaintext files.
- No source evidence shows credential exfiltration to an unrelated endpoint or destructive behavior.
Source & flagged code
7 flagged · loading sourcePackage source references dynamic require/import behavior.
dist/task-runner.jsView on unpkg · L355Package source references weak cryptographic algorithms.
dist/runtime/singleton.jsView on unpkg · L41A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/login.jsView on unpkg · L66