AI Security Review
scanned 3h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. Confirmed lifecycle setup of a first-party AI agent workspace and bundled skills, but not unconsented mutation of foreign agent control surfaces. Remaining risk is agent extension lifecycle setup inside the package's own namespace.
Decision evidence
public snapshot- package.json runs postinstall: node scripts/postinstall.js
- scripts/postinstall.js creates workspace dirs and copies workspace-templates/skills into workspace/skills on first install
- Package is an AI agent runtime with bundled skills and MCP integration
- dist/core/v4/mcp/install/clientPaths.js targets Claude/Cursor/VS Code config paths when invoked
- postinstall writes only package-local workspace/logs paths under the installed package root
- No postinstall write to Claude/Cursor/Codex home configs or broad foreign agent surfaces found
- MCP client config writes are under explicit aiden mcp init/repair/uninstall commands with prompts/backups
- dist/core/v4/skillFreshness.js only fetches a package-aligned manifest and caches freshness metadata
- dist/moat/tirithScanner.js Unicode controls are regex literals for detecting Trojan Source, not hidden control flow
Source & flagged code
15 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgPackage source references child process execution.
dist/tools/v4/web/openUrl.jsView on unpkg · L33Package source references shell execution.
dist/core/v4/util/spawnCommand.js#virtual:normalized:round1View on unpkg · L18Package source references a known benign dynamic code generation pattern.
dist/core/recipeEngine.jsView on unpkg · L91Package source references dynamic require/import behavior.
dist/tools/eonetTool.jsView on unpkg · L7Package source executes code through a VM context API.
dist/core/runSandbox.jsView on unpkg · L1Package source references weak cryptographic algorithms.
dist/core/memoryStrategy.jsView on unpkg · L65Source writes installer persistence such as shell profile or service configuration.
dist/core/toolRegistry.jsView on unpkg · L61A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/cli/v4/commands/daemon.jsView on unpkg · L499Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
plugins/aiden-plugin-cdp-browser/lib/chromeLauncher.jsView on unpkg · L14Source reaches cloud instance metadata or link-local credential endpoints.
dist/moat/ssrfProtection.jsView on unpkg · L10Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
dist/moat/tirithScanner.jsView on unpkg · L37Package ships non-JavaScript build or shell helper files.
scripts/uninstall.ps1View on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/core/v4/skillFreshness.jsView on unpkg