AI Security Review
scanned 5d ago · by lpm-firewall-aiNo confirmed malicious attack surface: risky primitives are tied to an audit scanner CLI and explicit subcommands. Agent-control files and Git hooks are not installed during npm lifecycle.
Decision evidence
public snapshot- User-invoked `auditx init-agent` writes agent instruction files including `AGENTS.md`, `.cursor/rules/auditx.mdc`, and `.claude/skills/auditx/SKILL.md`.
- User-invoked `auditx hook install` can write Git hooks and run background audit scans after merge/checkout.
- Runtime scanner setup downloads external security tools into `~/.auditx/bin` and can run `npm install -g`/`pip install` only via `auditx install` or scanner use.
- `package.json` has no npm lifecycle hooks; install/import does not trigger agent-file or hook mutation.
- Agent and Git hook writes are reachable only through explicit CLI subcommands, not package install.
- AI API keys are read from env or `~/.auditx/config.json` for opt-in `--ai`; no credential harvesting or exfiltration loop found.
- Network activity is package-aligned: GitHub release downloads for scanners and user-selected AI provider APIs.
Source & flagged code
5 flagged · loading sourceThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/auditx.jsView on unpkgPackage source invokes a package manager install command at runtime.
dist/auditx.jsView on unpkg · L915Package source references weak cryptographic algorithms.
dist/auditx.jsView on unpkg · L20