AI Security Review
scanned 2d ago · by lpm-firewall-aiNo confirmed malicious attack surface. This is a user-invoked inference CLI: prompts or explicitly selected edit-file contents may be sent to the configured model provider.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs chat, edit, models, or local-inference CLI commands.
Impact
User-directed cloud inference can disclose supplied prompts or chosen file contents to the selected provider; edit may overwrite only its explicit target file.
Mechanism
Configured AI inference, optional local runner execution, and explicit file editing.
Rationale
Source inspection shows expected, explicitly invoked AI CLI behavior with provider-specific endpoints and no install-time execution or concrete malicious chain. Scanner signals arise from legitimate API-key handling, network inference, and redacted README examples.
Evidence
package.jsondist/index.jsdist/config/manager.jsdist/utils/env.jsdist/cli/edit.jsdist/inference/local-adapter.jsdist/inference/gemini-adapter.jsdist/inference/nim-adapter.jsdist/inference/openrouter-adapter.js.env~/.buff/.env~/.buff/buffconfig.json~/.buff/cache.db<user-specified edit file>
Network endpoints4
generativelanguage.googleapis.com/v1beta/modelsopenrouter.ai/api/v1integrate.api.nvidia.com/v1localhost:11434
Decision evidence
public snapshotAI called this Clean at 96.0% confidence as Benign with high false-positive risk.
Evidence for block
- `dist/utils/env.js` reads `.env` and process environment.
- `dist/cli/edit.js` sends a user-selected file's content to the selected inference provider and can overwrite that file.
- `dist/inference/local-adapter.js` launches `python3` or `llama-cli` only for explicit local-inference modes.
Evidence against
- `package.json` has no preinstall, install, or postinstall lifecycle hook.
- `dist/index.js` only parses CLI arguments; importing/executing it performs no hidden setup.
- Cloud requests in `dist/inference/*-adapter.js` are provider-aligned and require explicit chat/edit/models commands plus configured credentials.
- Environment values are only assigned to the three documented provider API-key fields in `dist/config/manager.js`.
- No source writes AI-agent control files, harvests credentials for transmission, evaluates remote code, or creates stealth persistence.
- README key strings are redacted examples, not embedded credentials.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourceREADME.mdView file
148patternName = google_api_key
severity = high
line = 148
matchedText = GEMINI_A...xxxx
High
148patternName = google_api_key
severity = high
line = 148
matchedText = GEMINI_A...xxxx
High
Findings
2 High2 Medium4 Low
HighHigh SecretREADME.md
HighSecret PatternREADME.md
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings