AI Security Review
scanned 12d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The package is a web control panel for AI agent sessions with expected authenticated controls for providers, plugins, tunnels, and local config.
Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs callboard CLI/server and uses authenticated settings or chat workflows.
Impact
Expected management of ~/.callboard config, AI provider credentials, plugin hooks, local/remote proxy settings, and session files.
Mechanism
User-configured AI agent orchestration and local daemon management
Rationale
Scanner findings map to real dual-use AI-agent control features, but source inspection shows they are user-invoked/authenticated and aligned with the package purpose. I found no unconsented lifecycle mutation, harvesting, exfiltration, staged payload, or malicious install/import-time behavior.
Evidence
package.jsonbin/callboard.jsbackend/dist/index.jsbackend/dist/services/agent-settings.jsbackend/dist/routes/agent-settings.jsbackend/dist/services/claude.jsbackend/dist/services/custom-skills-service.jsbackend/dist/utils/paths.js~/.callboard/agent-settings.json~/.callboard/custom-skills~/.callboard/.env~/.callboard/callboard.pid~/.callboard/logs/callboard.log~/.claude/projects
Network endpoints6
registry.npmjs.org/${pkgName}/latestregistry.npmjs.org/${PKG_NAME}/latestopenrouter.ai/apiopenrouter.ai/api/v1127.0.0.1:9999localhost:${port}/api/auth/check
Decision evidence
public snapshotAI called this Clean at 82.0% confidence as Benign with high false-positive risk.
Evidence for block
- backend/dist/services/claude.js executes plugin hook shell commands and injects MCP/plugin tools into AI sessions, but only from configured/enabled plugins.
- backend/dist/routes/agent-settings.js can persist API keys, Codex/OpenRouter settings, tunnel settings, and caller bundles via authenticated settings endpoints.
- backend/dist/index.js starts local drawlatch daemon/web tunnel and exposes restart/status endpoints after auth.
Evidence against
- package.json lifecycle scripts are build/test/lint/publish checks; no install-time credential harvesting or payload execution found.
- bin/callboard.js is a user-invoked daemon CLI; dynamic imports load local backend utilities and server entrypoints.
- backend/dist/services/agent-settings.js OpenRouter/Codex env overrides are package-aligned settings for routing AI providers, not forced exfiltration.
- Network endpoints are expected product endpoints: npm version check, localhost health/proxy, OpenRouter, Cloudflare tunnel, and user-configured proxy URLs.
- Custom skills in backend/dist/services/custom-skills-service.js are user-created under ~/.callboard and injected only when present.
- No source evidence of prompt/reviewer manipulation, persistence outside app config, destructive lifecycle behavior, or credential exfiltration.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsMinifiedUrlStrings
GitDependency
Source & flagged code
2 flagged · loading sourcebin/callboard.jsView file
24// Import shared path utilities from compiled backend
L25: const { DATA_DIR, ENV_FILE, ensureDataDir, ensureEnvFile } = await import(join(PKG_ROOT, "backend/dist/utils/paths.js"));
L26:
Medium
Dynamic Require
Package source references dynamic require/import behavior.
bin/callboard.jsView on unpkg · L24backend/dist/services/agent-settings.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = @wolpertingerlabs/callboard@1.0.0-alpha.35
matchedIdentity = npm:[redacted]:1.0.0-alpha.35
similarity = 0.975
summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version.
backend/dist/services/agent-settings.jsView on unpkgFindings
1 Critical5 Medium5 Low
CriticalPrevious Version Dangerous Deltabackend/dist/services/agent-settings.js
MediumDynamic Requirebin/callboard.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumGit Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings