AI Security Review
scanned 21h ago · by lpm-firewall-aiAn explicitly launched desktop sidecar connects to its configured WebSocket gateway and executes a constrained desktop-command set. It can invoke fixed local helpers and read/write the configured X display clipboard. No malicious install-time or hidden payload attack surface was confirmed.
Decision evidence
public snapshot- `dist/index.cjs` is deliberately obfuscated, reducing auditability.
- Runtime connects to a configurable gateway and dispatches remote desktop commands.
- `clip_get` returns X clipboard contents through the command-result channel.
- `browser`/`terminal`/`memory` launch a fixed local `whalent-desktop` helper.
- `package.json` has no preinstall/install/postinstall hook; only publish-time `prepublishOnly`.
- `dist/index.cjs` restricts actions to browser, terminal, memory, resize, clip_set, and clip_get.
- Child processes use fixed executable names and argument arrays; no shell, eval, VM, or arbitrary command path was found.
- Resize and clipboard inputs are bounded; clipboard data is capped at 256 KB.
- No filesystem harvesting, writes, persistence, payload download, or destructive behavior was found.
Source & flagged code
4 flagged · loading sourceA single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/index.cjsView on unpkg · L1Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.
dist/index.cjsView on unpkg · L1Package source references dynamic require/import behavior.
dist/index.cjsView on unpkg · L1