AI Security Review
scanned 19h ago · by lpm-firewall-aiNo confirmed malicious attack surface. Network, browser automation, artifact uploads, and subprocesses are tied to the advertised screenshot-capture CLI and explicit runtime actions.
Decision evidence
public snapshot- `package.json` has no lifecycle scripts; install/import do not trigger package code.
- `dist/cli.js` runs only as the `autokap` executable and exposes explicit login/run/doctor commands.
- `dist/playwright-installer.js` downloads Chromium only during a capture run when missing.
- `dist/cli-updater.js` checks `registry.npmjs.org` only in an interactive CLI session and runs global npm install after a prompt.
- `dist/cli-config.js` stores only AutoKap CLI config in `~/.autokap` with restrictive permissions and validates origins.
- `dist/cookie-dismiss.js` uses `new Function` only inside the Playwright page to reconstruct its own cookie-container predicate.
Source & flagged code
7 flagged · loading sourcePackage source references child process execution.
dist/openrouter-tts.jsView on unpkg · L13Package source references a known benign dynamic code generation pattern.
dist/cookie-dismiss.jsView on unpkg · L187Package source references weak cryptographic algorithms.
dist/capture-variant-state.jsView on unpkg · L1A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/cli-updater.jsView on unpkg · L17Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
dist/posthog.jsView on unpkg · L4Package source invokes a package manager install command at runtime.
dist/playwright-installer.jsView on unpkg · L11This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/cli.jsView on unpkg