AI Security Review
scanned 3d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The package is a local AI-agent runtime with expected local workspace initialization and user-invoked tools for shell, browser, and provider access.
Decision evidence
public snapshot- package.json runs postinstall script on install.
- scripts/postinstall.js creates workspace/* and copies workspace-templates/SOUL.md and starter skills on first install.
- dist/tools/v4/terminal/shellExec.js exposes user-invoked shell execution as a dangerous tool.
- dist/core/recipeEngine.js uses new Function for user recipe conditions.
- scripts/postinstall.js performs only local mkdir/copy under package root; no network, shell, credential reads, or exfiltration.
- dist/tools/v4/web/openUrl.js validates http/https URLs and launches OS browser with shell:false.
- dist/core/v4/util/spawnCommand.js explicitly avoids shell injection and quotes Windows shim args.
- dist/moat/tirithScanner.js contains Unicode scanner regexes intentionally detecting bidi/zero-width characters, not hidden control flow.
- skills/installed/infrastructure/SKILL.md contains documented placeholder/example cloud secrets, not active credentials.
- workspace-templates/permissions.yaml and shellExec preview deny/flag destructive shell patterns.
Source & flagged code
20 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgPackage contains a critical-looking secret pattern.
skills/installed/infrastructure/SKILL.mdView on unpkg · L146AWS access key ID in skills/installed/infrastructure/SKILL.md
skills/installed/infrastructure/SKILL.mdView on unpkg · L146Package source references child process execution.
dist/tools/v4/web/openUrl.jsView on unpkg · L33Package source references shell execution.
dist/core/v4/util/spawnCommand.js#virtual:normalized:round1View on unpkg · L18Package source references a known benign dynamic code generation pattern.
dist/core/recipeEngine.jsView on unpkg · L91Package source references dynamic require/import behavior.
dist/tools/eonetTool.jsView on unpkg · L7Package source executes code through a VM context API.
dist/core/runSandbox.jsView on unpkg · L1Package source references weak cryptographic algorithms.
dist/core/memoryStrategy.jsView on unpkg · L65Source writes installer persistence such as shell profile or service configuration.
dist/core/toolRegistry.jsView on unpkg · L61A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/cli/v4/commands/daemon.jsView on unpkg · L499Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
plugins/aiden-plugin-cdp-browser/lib/chromeLauncher.jsView on unpkg · L14Source reaches cloud instance metadata or link-local credential endpoints.
dist/moat/ssrfProtection.jsView on unpkg · L10Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
dist/moat/tirithScanner.jsView on unpkg · L37Package ships non-JavaScript build or shell helper files.
scripts/uninstall.ps1View on unpkgHardcoded password in skills/installed/send-data/SKILL.md
skills/installed/send-data/SKILL.mdView on unpkg · L95Hardcoded password in skills/installed/data-pipeline-builder/SKILL.md
skills/installed/data-pipeline-builder/SKILL.mdView on unpkg · L1037Hardcoded password in skills/installed/bkend-auth/SKILL.md
skills/installed/bkend-auth/SKILL.mdView on unpkg · L172Hardcoded password in skills/installed/admin/SKILL.md
skills/installed/admin/SKILL.mdView on unpkg · L197