AI Security Review
scanned 9d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The package is a CLI-managed AI agent platform with dangerous user-invoked capabilities, but they are aligned with daemon/agent operation and not triggered by installation or import.
Decision evidence
public snapshot- dist/runtime/agent/bootstrap.js exposes shell_run and web_fetch/http tools that can execute commands and fetch URLs when an agent is running.
- dist/runtime/install/upgrade-runner.js can spawn npm install -g and restart the daemon, but only from explicit upgrade flow env/config.
- dist/runtime/supervisor/bootstrap.js starts local web/connector services and can bind web host from TWENTYTWOHUNDRED_WEB_HOST.
- package.json has no install/postinstall lifecycle hooks; bin is explicit CLI dist/cli/main.js and main only reads package version.
- dist/cli/main.js only parses commands when invoked directly; import does not start daemon or agents.
- dist/runtime/agent/bootstrap.js requires TWENTYTWOHUNDRED_AGENT_NAME, IDENTITY_PATH, SOCKET_PATH, and HOME before starting.
- Command execution is a named agent tool bounded to ctx.projectDir, not install-time or import-time behavior.
- Network endpoints are package-aligned AI/search/OAuth/registry/local services and user-invoked connector calls; no hidden exfil endpoint found.
- Credentials and OAuth tokens are stored in encrypted package state/vault paths, not harvested broadly at install/import time.
Source & flagged code
6 flagged · loading sourcePackage source references child process execution.
dist/runtime/install/upgrade-runner.jsView on unpkg · L1Source executes local commands and sends command output to an external endpoint.
dist/runtime/agent/bootstrap.jsView on unpkg · L1Package source references weak cryptographic algorithms.
dist/runtime/agent/bootstrap.jsView on unpkg · L1Source launches a detached bundled service that exposes a broad-bound HTTP listener.
dist/runtime/supervisor/bootstrap.jsView on unpkg · L3A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/cli/main.jsView on unpkg · L6Package contains source files above the static scanner size ceiling.
dist/connectors/discord/gateway.cjsView on unpkg