AI Security Review
scanned 8d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established by source inspection. The package is a user-invoked AI agent runtime with expected dangerous capabilities: local daemon, child agent processes, shell/http tools, OAuth vaults, and connector listeners.
Decision evidence
public snapshot- dist/runtime/agent/bootstrap.js defines agent tools including shell_run and http_request, allowing user-created agents to run commands and make network requests.
- dist/runtime/supervisor/bootstrap.js starts a connector MCP listener on 0.0.0.0 by default when enabled, gated by bearer/OAuth auth.
- dist/runtime/install/upgrade-runner.js can run npm install -g during the explicit update flow.
- package.json has no install/postinstall lifecycle hooks; executable entrypoint is the user-invoked bin dist/cli/main.js.
- dist/index.js only reads package.json to export VERSION; no import-time network, process spawn, or credential access.
- README.md describes these primitives as the product: local always-on agents, local supervisor daemon, OAuth/credential vault, connectors, and update command.
- dist/runtime/agent/bootstrap.js requires supervisor-provided TWENTYTWOHUNDRED_* env vars and runs only as an agent child process, not on package import/install.
- Shell execution is exposed as an agent tool bounded to the agent project directory and returned through the agent loop, not hidden install-time exfiltration.
- Credential HTTP helper injects vault secrets into user-requested HTTP calls and redacts echoed values before returning them.
Source & flagged code
6 flagged · loading sourcePackage source references child process execution.
dist/runtime/install/upgrade-runner.jsView on unpkg · L1Source executes local commands and sends command output to an external endpoint.
dist/runtime/agent/bootstrap.jsView on unpkg · L1Package source references weak cryptographic algorithms.
dist/runtime/agent/bootstrap.jsView on unpkg · L1Source launches a detached bundled service that exposes a broad-bound HTTP listener.
dist/runtime/supervisor/bootstrap.jsView on unpkg · L3A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/cli/main.jsView on unpkg · L6Package contains source files above the static scanner size ceiling.
dist/connectors/discord/gateway.cjsView on unpkg