AI Security Review
scanned 1d ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. The risky primitives are framework-aligned runtime CLI/dev-server behavior, not install-time execution.
Decision evidence
public snapshot- package.json has no npm lifecycle hooks; bin is user-invoked src/cli/index.ts
- src/core/dev.ts child_process use is dev-server build/start/restart under bosia dev
- src/cli/registry.ts fetches package registry assets from bosapi GitHub and writes requested project files
- src/cli/registry.ts bun add only installs dependencies declared by selected registry feature/component
- src/core/plugin.ts dynamic require resolves Svelte from app dependencies during Bun build
- No credential harvesting, exfiltration, persistence, or AI-agent control-surface writes found
Source & flagged code
4 flagged · loading sourceThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
src/core/dev.tsView on unpkgPackage source references dynamic require/import behavior.
src/core/plugin.tsView on unpkg · L13Package source invokes a package manager install command at runtime.
src/cli/registry.tsView on unpkg · L184