AI Security Review
scanned 31m ago · by lpm-firewall-aiNo confirmed malicious attack surface. The CLI performs user-invoked updates, optional FFmpeg setup, and configured AI-provider calls for its stated collaborative terminal app features.
Decision evidence
public snapshot- `dist/chunks/update-UEPNGB6Y.js` can run `npm install -g accelr8@latest`, but only from the interactive update action.
- `dist/chunks/chunk-3JNUWI22.js` stores user-provided AI API keys locally and sends them to their selected Anthropic/OpenAI API endpoint during explicit agent use.
- `package.json` has only `prepublishOnly`; no preinstall/install/postinstall hook executes for consumers.
- `dist/cli.js` gates all behavior behind explicit CLI invocation; dynamic imports select normal client/server/agent commands.
- `dist/chunks/install-DL5WLVXN.js` only proposes or runs FFmpeg installation after an in-app confirmation.
- `dist/chunks/chunk-3JNUWI22.js` limits Claude CLI to plan mode and disallows file, shell, web, and task tools.
- No hidden endpoint, remote code loader, credential harvesting, destructive action, or foreign AI-agent configuration write was found.
Source & flagged code
4 flagged · loading sourcePackage source references child process execution.
dist/chunks/chunk-3JNUWI22.jsView on unpkg · L148A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/chunks/chunk-3JNUWI22.jsView on unpkg · L135Package source invokes a package manager install command at runtime.
dist/chunks/update-UEPNGB6Y.jsView on unpkg · L60This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/chunks/install-DL5WLVXN.jsView on unpkg