AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. The application can act as an AI-agent host and run MCP tooling configured through its local settings. A configured MCP package may be fetched with npm and then used by the agent runtime; no automatic install-time execution was found.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `bossmode on` and enables/configures an MCP server through Bossmode settings.
Impact
Configured MCP tools can execute with the user's local permissions; this is a real agent capability but not an unconsented payload chain.
Mechanism
User-configured MCP process/package resolution in a package-owned runtime.
Rationale
The scanner's download/execute signal maps to user-configured MCP tooling, not autonomous install-time behavior. The package presents a meaningful agent-extension lifecycle risk, so warning is appropriate rather than a malicious block.
Evidence
package.jsondist/cli/index.jsdist/shared/config.jsdist/shared/mcp-settings.jsdist/engine/model-credentials.jsvendor/pi-mcp-adapter/npx-resolver.ts~/.bossmode/config.json~/.bossmode/mcp/mcp.json~/.bossmode/mcp/runtime~/.bossmode/bossmode.pid~/.bossmode/bossmode.log
Decision evidence
public snapshotAI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `vendor/pi-mcp-adapter/npx-resolver.ts` runs `npm exec --yes --package` for MCP package specs.
- `dist/shared/mcp-settings.js` accepts MCP `command` or HTTP server entries and persists them under `~/.bossmode/mcp/mcp.json`.
- `dist/cli/index.js` forks a detached local daemon on explicit `bossmode on`.
- `dist/engine/model-credentials.js` fetches model lists from a user-supplied credential base URL.
Evidence against
- `package.json` has no preinstall, install, or postinstall lifecycle hook.
- MCP configuration is package-owned (`~/.bossmode/mcp`), not a foreign agent config path.
- No hardcoded exfiltration endpoint or secret-harvesting path was found.
- Network calls are for configured model discovery and the Linear integration; `dist/integrations/linear-client.js` targets Linear's API.
- The daemon defaults to `127.0.0.1` and requires an explicit CLI command to start.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
HighEntropyStringsMinifiedObfuscatedUrlStrings
Source & flagged code
4 flagged · loading sourcedist/cli/index.jsView file
1#!/usr/bin/env node
L2: import { fork } from "node:child_process";
L3: import { openSync, readFileSync } from "node:fs";
High
web/dist/assets/index-MzlDDEbN.jsView file
8]|$)`},{atBreak:!0,character:"<",after:"[!/?A-Za-z]"},{character:"<",after:"[!/?A-Za-z]",inConstruct:"phrasing",notInConstruct:Ja},{character:"<",inConstruct:"destinationLiteral"},...
L9: `)&&u.type==="html"&&(s[s.length-1]=s[s.length-1].replace(/(\r?\n|\r)$/," "),a=" ",c=e.createTracker(n),c.move(s.join("")));let f=e.handle(u,t,e,{...c.current(),after:h,before:a});...
L10: `,after:`
...
L20: `,now:{line:1,column:1},lineShift:0});return i&&i.charCodeAt(i.length-1)!==10&&i.charCodeAt(i.length-1)!==13&&(i+=`
L21: `),i;function s(o){return r.stack.push(o),a;function a(){r.stack.pop()}}}function ZZ(t){throw new Error("Cannot handle value `"+t+"`, expected node")}function zZ(t){const e=t;throw...
L22:
...
L43:
L44: `))}return r.pop(),a.join("")}function jI(t){let e=0,n=t.stack.length;for(;--n>-1;){const r=t.stack[n];if(r==="blockquote"||r==="listItem")break;r==="mdxJsxFlowElement"&&e++}return...
L45: `));var e=[],n=t.split(/(\n|\r\n)/);n[n.length-1]||n.pop();for(var r=0;r<n.length;r++){var i=n[r];r%2&&!this.options.newlineIsToken?e[e.length-1]+=i:(this.options.ignoreWhitespace&...
...
L147: `+t.slice(o+1):l+=t.slice(i),l.slice(1)}function jie(t){for(var e="",n=0,r,i=0;i<t.length;n
Critical
Download Execute
Source downloads or fetches remote code and executes it.
web/dist/assets/index-MzlDDEbN.jsView on unpkg · L8897}
L898: `,aOe={defaultPreset:"react",presets:[{name:"react",meta:"live react",label:"React",sandpackTemplate:"react",sandpackTheme:"light",snippetFileName:"/App.js",snippetLanguage:"jsx",i...
L899: `:r=="r"?"\r":r=="t"?" ":"\\")}eq(e){return this.search==e.search&&this.replace==e.replace&&this.caseSensitive==e.caseSensitive&&this.regexp==e.regexp&&this.wholeWord==e.wholeWord&...
High
Shell
Package source references shell execution.
web/dist/assets/index-MzlDDEbN.jsView on unpkg · L897web/dist/assets/livescript-BwQOo05w.jsView file
1var f=function(e,n){var g=n.next||"start";{n.next=n.next;var k=x[g];if(k.splice){for(var l=0;l<k.length;++l){var t=k[l];if(t.regex&&e.match(t.regex))return n.next=t.next||n.next,t....
Medium
Dynamic Require
Package source references dynamic require/import behavior.
web/dist/assets/livescript-BwQOo05w.jsView on unpkg · L1Findings
1 Critical2 High4 Medium5 Low
CriticalDownload Executeweb/dist/assets/index-MzlDDEbN.js
HighChild Processdist/cli/index.js
HighShellweb/dist/assets/index-MzlDDEbN.js
MediumDynamic Requireweb/dist/assets/livescript-BwQOo05w.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings