AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is an agent SDK with user-invoked network, filesystem, shell, and MCP capabilities plus disclosed coarse telemetry/update checks.
Decision evidence
public snapshot- dist/query.js calls opt-out telemetry and update checks when query() runs
- dist/sandbox/local.js exposes user-invoked local shell and filesystem methods
- dist/mcp/stdio.js can spawn user-configured MCP server commands
- dist/tools/web_fetch.js and dist/tools/web_search.js fetch via Jina/DuckDuckGo by explicit tool use
- package.json has no preinstall/install/postinstall hook; only prepublishOnly build
- dist/skills/parse.js only parses markdown frontmatter; scanner-highlighted character is an optional BOM in regex
- dist/fs/linuxTree.js writes sandbox /etc files and .bashrc only through caller-provided virtual fs
- dist/telemetry.js whitelists coarse fields and comments/README disclose no prompts, code, paths, keys, or endpoints
- dist/update.js only reads npm latest version and never installs or mutates files
- No credential harvesting, remote payload loading, persistence, destructive action, or AI-agent config hijack found
Source & flagged code
3 flagged · loading sourceSource writes installer persistence such as shell profile or service configuration.
dist/fs/linuxTree.jsView on unpkg · L27Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
dist/skills/parse.jsView on unpkg · L3A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/skills/parse.jsView on unpkg