AI Security Review
scanned 2d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The package performs local static analysis and writes report files only after an explicit CLI/watch invocation.
Decision evidence
public snapshot- `AGENTS.md` contains agent-directed operational guidance, but it is documentation and not runtime code.
- `watch.mjs` invokes a local Node subprocess, creating a user-triggered execution path.
- `Cases.ts` contains child-process and network fixtures for scanner conformance.
- `package.json` has no preinstall, install, postinstall, or other lifecycle hooks.
- `scan.mjs` is an offline TypeScript static-analysis CLI; no outbound network API usage was found.
- `scan.mjs` only creates and atomically writes user-selected/default analysis reports.
- `watch.mjs` spawns only the package-local `scan.mjs` with supplied target/output arguments.
- `mcp.mjs` and `lsp.mjs` read reports/configuration and communicate over stdio; no remote endpoint or payload loading was found.
- `Cases.ts` is a static conformance fixture and is not a package entrypoint.
Source & flagged code
5 flagged · loading sourceA single source file combines environment access, network access, and code or shell execution; review context before blocking.
Cases.tsView on unpkg · L3Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
watch.mjsView on unpkg · L16This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
scan-core.mjsView on unpkg