AI Security Review
scanned 11d ago · by lpm-firewall-aiNo confirmed malicious install-time attack surface was established. The runtime CLI is an obfuscated AI agent wrapper/daemon that uses network, child processes, and package self/core update behavior when explicitly invoked.
Decision evidence
public snapshot- package.json has preinstall: node scripts/preinstall-check.cjs
- dist/index.cjs and dist/core.cjs are heavily obfuscated bundled CLI files
- dist/index.cjs performs runtime npm registry probing and can install/update @whalent/agent or @whalent/agent-core when the CLI is run
- dist/core.cjs contains expected agent gateway/terminal/AI-provider control code with child_process, fs, ws/undici-style behavior
- scripts/preinstall-check.cjs only checks Node major version and prints an install hint; no network, file write, shell, or agent-control mutation
- No install-time credential harvesting or exfiltration found in inspected lifecycle hook
- Runtime network and process control are aligned with a user-invoked Whalent AI agent/daemon CLI
- Auto-update/install paths target the same @whalent packages through npm registries, not an unrelated payload host
- No prompt/reviewer manipulation or package-review instruction injection found in package files
Source & flagged code
5 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgSource contains an obfuscator-style string-array loader that reconstructs and executes hidden code.
dist/index.cjsView on unpkg · L1Package source references dynamic require/import behavior.
dist/index.cjsView on unpkg · L1Package contains source files above the static scanner size ceiling.
dist/core.cjsView on unpkgPackage contains an oversized executable-looking CLI entrypoint.
dist/core.cjsView on unpkg