AI Security Review
scanned 3d ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. The CLI performs user-invoked OAuth and authenticated relay communication for its stated terminal-client function.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `arp-tui login`, `arp-tui`, or another CLI command.
Impact
Stores its own credentials locally and sends them only as authentication to configured service endpoints.
Mechanism
OAuth token management and authenticated REST/WebSocket relay client.
Rationale
The scanner’s credential/network findings correspond to the documented OAuth login and authenticated relay client. Source inspection found no lifecycle execution on install, exfiltration to an unrelated endpoint, stealth persistence, or destructive behavior.
Evidence
package.jsonREADME.mddist/index.js
Network endpoints4
arp-relay-dev.up.railway.apparp-web-dev.up.railway.appgenerous-fish-48.clerk.accounts.devws(s)://<configured relay>/ws/client
Decision evidence
public snapshotAI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- `package.json` has only `prepublishOnly`; no install-time hook.
- `dist/index.js` runs as the user-invoked CLI bin.
- OAuth browser launch and loopback callback occur only for `login`.
- Tokens are stored under `~/.arp-tui` with directory/file modes 0700/0600.
- Bearer tokens are sent only to configured ARP relay, OAuth, and WebSocket endpoints.
- No eval, dynamic loading, shell payload, broad file harvesting, or AI-agent config writes found.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcedist/index.jsView file
41try {
L42: return JSON.parse(fs.readFileSync(file, "utf8"));
L43: } catch {
...
L47: function loosePermsError(p, expected) {
L48: if (process.platform === "win32") return null;
L49: let st;
...
L63: // src/config.ts
L64: var CONFIG_DIR = path2.join(os.homedir(), ".arp-tui");
L65: var CONFIG_FILE = path2.join(CONFIG_DIR, "config.json");
...
L73: var DEV_PROFILE = {
L74: relayUrl: "https://arp-relay-dev.up.railway.app",
L75: webUrl: "https://arp-web-dev.up.railway.app",
Critical
Credential Exfiltration
Source appears to send environment or credential material to an external endpoint.
dist/index.jsView on unpkg · L4141Trigger-reachable chain: manifest.bin -> dist/index.js
L41: try {
L42: return JSON.parse(fs.readFileSync(file, "utf8"));
L43: } catch {
...
L47: function loosePermsError(p, expected) {
L48: if (process.platform === "win32") return null;
L49: let st;
...
L63: // src/config.ts
L64: var CONFIG_DIR = path2.join(os.homedir(), ".arp-tui");
L65: var CONFIG_FILE = path2.join(CONFIG_DIR, "config.json");
...
L73: var DEV_PROFILE = {
L74: relayUrl: "https://arp-relay-dev.up.railway.app",
L75: webUrl: "https://arp-web-dev.up.railway.app",
Critical
Trigger Reachable Dangerous Capability
A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/index.jsView on unpkg · L41Findings
2 Critical3 Medium6 Low
CriticalCredential Exfiltrationdist/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License