AI Security Review
scanned 4h ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. Risky primitives are SDK capabilities that require explicit host-app or user invocation, with no install-time or import-time execution path.
Decision evidence
public snapshot- dist/telemetry.js has opt-out telemetry to https://anyclaude-telemetry.puter.work when track() is called, but allowlists coarse props.
- dist/tools/bash.js, dist/tools/write_file.js, and dist/tools/delete_file.js expose agent tools capable of shell/file mutation when a host app enables them.
- package.json has no preinstall/install/postinstall hooks; only prepublishOnly builds before publishing.
- dist/index.js is a barrel export; import does not execute network, shell, or filesystem mutation logic.
- dist/skills/parse.js Trojan Source hint is a BOM-tolerant frontmatter regex, not hidden control-flow behavior.
- dist/fs/linuxTree.js writes only to a caller-provided virtual fs to seed sandbox paths like /etc/hostname and /home/user/.bashrc.
- dist/mcp/stdio.js and dist/sandbox/local.js lazily import child_process and run only when explicitly configured/used.
- Network clients in dist/llm, dist/mcp, dist/update.js, and web tools are package-aligned SDK features, not install-time exfiltration.
Source & flagged code
3 flagged · loading sourceSource writes installer persistence such as shell profile or service configuration.
dist/fs/linuxTree.jsView on unpkg · L27Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
dist/skills/parse.jsView on unpkg · L3A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/skills/parse.jsView on unpkg