AI Security Review
scanned 4d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The CLI performs explicit OAuth login and authenticated relay communication, storing its own credentials locally.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs arp-tui login, tail, status, or logout.
Impact
User-provided or OAuth-issued tokens are sent only to the selected auth and relay services for the client’s stated functionality.
Mechanism
OAuth PKCE, configured relay REST/WebSocket access, and local credential storage.
Rationale
The scanner’s credential/network match reflects the documented authenticated terminal client workflow. Direct inspection found no install-time execution or concrete exfiltration, persistence, destructive action, or remote-code chain.
Evidence
package.jsonREADME.mddist/index.js~/.arp-tui/config.json~/.arp-tui/credentials.json
Network endpoints3
arp-relay-dev.up.railway.apparp-web-dev.up.railway.appgenerous-fish-48.clerk.accounts.dev
Decision evidence
public snapshotAI called this Clean at 95.0% confidence as Benign with low false-positive risk.
Evidence for block
- dist/index.js sends OAuth and relay bearer tokens over network during explicit CLI login/tail use.
- dist/index.js stores refreshable credentials in ~/.arp-tui/credentials.json.
Evidence against
- package.json has only prepublishOnly; no install-time lifecycle hook.
- dist/index.js invokes child_process only to open the user-requested OAuth browser login.
- Credential files are written atomically with mode 0600 and permission checks.
- Network calls implement configured OAuth, relay REST, and authenticated WebSocket client behavior.
- No eval, dynamic module loading, shell execution, payload download, or foreign agent-config writes found.
- logout revokes tokens and removes active credentials via a tombstone record.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcedist/index.jsView file
41try {
L42: return JSON.parse(fs.readFileSync(file, "utf8"));
L43: } catch {
...
L47: function loosePermsError(p, expected) {
L48: if (process.platform === "win32") return null;
L49: let st;
...
L63: // src/config.ts
L64: var CONFIG_DIR = path2.join(os.homedir(), ".arp-tui");
L65: var CONFIG_FILE = path2.join(CONFIG_DIR, "config.json");
...
L73: var DEV_PROFILE = {
L74: relayUrl: "https://arp-relay-dev.up.railway.app",
L75: webUrl: "https://arp-web-dev.up.railway.app",
Critical
Credential Exfiltration
Source appears to send environment or credential material to an external endpoint.
dist/index.jsView on unpkg · L4141Trigger-reachable chain: manifest.bin -> dist/index.js
L41: try {
L42: return JSON.parse(fs.readFileSync(file, "utf8"));
L43: } catch {
...
L47: function loosePermsError(p, expected) {
L48: if (process.platform === "win32") return null;
L49: let st;
...
L63: // src/config.ts
L64: var CONFIG_DIR = path2.join(os.homedir(), ".arp-tui");
L65: var CONFIG_FILE = path2.join(CONFIG_DIR, "config.json");
...
L73: var DEV_PROFILE = {
L74: relayUrl: "https://arp-relay-dev.up.railway.app",
L75: webUrl: "https://arp-web-dev.up.railway.app",
Critical
Trigger Reachable Dangerous Capability
A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/index.jsView on unpkg · L41Findings
2 Critical3 Medium6 Low
CriticalCredential Exfiltrationdist/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License