AI Security Review
scanned 2d ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. Risky primitives are package-aligned SDK capabilities for agent workspaces and user-configured LLM/MCP/network tools, not hidden install-time or import-time behavior.
Decision evidence
public snapshot- package.json has no install/postinstall hook; prepublishOnly only builds before publishing.
- dist/index.js is a barrel export; no import-time execution beyond module exports.
- dist/skills/parse.js BOM-tolerant regex is not Trojan Source control-flow deception.
- dist/fs/linuxTree.js only seeds caller-provided sandbox FS with FHS placeholder files.
- Shell, filesystem writes, MCP stdio, and web tools are SDK features invoked through query/tool APIs, not hidden lifecycle behavior.
- Telemetry/update checks are source-disclosed, opt-out, coarse, and do not harvest prompts, files, env, or credentials.
Source & flagged code
3 flagged · loading sourceSource writes installer persistence such as shell profile or service configuration.
dist/fs/linuxTree.jsView on unpkg · L27Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
dist/skills/parse.jsView on unpkg · L3A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/skills/parse.jsView on unpkg