AI Security Review
scanned 2d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a local TypeScript static-analysis CLI suite that reads target sources and writes requested report files.
Decision evidence
public snapshot- `Cases.ts` imports network and subprocess APIs, but it is documented conformance-fixture source.
- `watch.mjs` launches local `scan.mjs` only after explicit `candor-ts-watch` invocation.
- `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
- Entrypoints are user-invoked CLI, MCP, LSP, and watcher tools; no import-time scan or network action was found.
- `scan.mjs` writes only requested report outputs using local filesystem APIs.
- `mcp.mjs` is stdio-only and confines caller-supplied policy reads to the report workspace.
- No runtime HTTP client, socket connection, credential harvesting, eval/vm execution, or persistence write was found.
Source & flagged code
5 flagged · loading sourceA single source file combines environment access, network access, and code or shell execution; review context before blocking.
Cases.tsView on unpkg · L3Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
watch.mjsView on unpkg · L16This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
scan.mjsView on unpkg