AI Security Review
scanned 20m ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. Explicit CLI commands write project-local configuration or generated app files, and the `dev` command installs the generated app's fixed dependencies before starting Next.js.
Decision evidence
public snapshot- bin/aetherml.js: explicit `dev` runs `npm install` with `shell: true` in generated `dist_app`.
- bin/aetherml.js: explicit interactive `init` writes a supplied provider key to local `.env`.
- src/core/provider-adapter.js: `generate` sends user prompts to the selected AI provider using configured credentials.
- package.json has no preinstall, install, postinstall, or prepare lifecycle hook.
- bin/aetherml.js only executes after the user invokes its CLI; no-argument use shows help.
- src/core/enterprise-generator.js fixes generated dependencies to Next/React and optional declared integrations.
- No source reads broad credential stores, agent configuration directories, SSH files, or npm config.
- No eval, VM, dynamic code loading, binary payload, persistence, or destructive filesystem behavior found.
Source & flagged code
5 flagged · loading sourceThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
bin/aetherml.jsView on unpkgPackage source invokes a package manager install command at runtime.
bin/aetherml.jsView on unpkg · L267Package source references weak cryptographic algorithms.
bin/aetherml.jsView on unpkg · L4