AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. The package provides an opt-in, package-owned AI chat-agent feature. It persists user-supplied/provider-env credentials locally and sends room chat context to the selected provider; Claude Code use is constrained to plan mode with operational tools disabled. No unconsented install-time or foreign-agent control-surface mutation is established.
Decision evidence
public snapshot- `dist/cli.js` exposes explicit `agent` and `radio` commands.
- `dist/chunks/agentcli-ZI2O7ID7.js` prompts for provider credentials only under `accelr8 agent add`.
- `dist/chunks/chunk-3JNUWI22.js` stores accounts/tokens in `~/.accelr8` with 0600 permissions.
- `dist/chunks/chunk-3JNUWI22.js` sends configured chat context to OpenAI/Anthropic APIs.
- `dist/chunks/chunk-3JNUWI22.js` can spawn the local `claude` CLI, but fixes plan mode and disallows file, shell, web, and task tools.
- `dist/chunks/update-UEPNGB6Y.js` can run global npm update only from the interactive client update action.
- `package.json` has only `prepublishOnly`; there is no install-time lifecycle hook.
- No source writes foreign AI-agent configuration or broad control surfaces.
- No credential harvesting beyond explicitly entered or named provider env keys.
- No arbitrary shell command or remote payload execution was found.
- Network use is package-aligned: collaboration WebSocket, provider APIs, npm update check, and radio media.
- Package writes are scoped to `~/.accelr8` state, credentials, logs, and local server data.
Source & flagged code
5 flagged · loading sourceThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/chunks/app-EOVXVIEE.jsView on unpkgPackage source references child process execution.
dist/chunks/app-EOVXVIEE.jsView on unpkg · L15Package source invokes a package manager install command at runtime.
dist/chunks/client-OIVTEENE.jsView on unpkg · L848A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/chunks/chunk-3JNUWI22.jsView on unpkg · L135