AI Security Review
scanned 11d ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Decision evidence
public snapshot- cli.js default run calls ensureHooks(), which edits Claude Code hooks in ~/.claude/settings.json.
- server/lib/ensure-hooks.js registers PreToolUse/Stop command hooks for ask-bridge.js, perm-bridge.js, and turn-end-bridge.js.
- cli.js -logger can append a claude() shell wrapper to .zshrc/.bashrc and can inject Claude CLI JS for older installs.
- cli.js --im starts Claude with --dangerously-skip-permissions in an IM worker.
- server/lib/im-process-manager.js can spawn detached IM worker processes.
- server/lib/plugin-loader.js dynamically imports user/bundled plugins from LOG_DIR/plugins and package plugins.
- package.json has no install/postinstall/prepare lifecycle; prepublishOnly only runs build before publishing.
- The Claude settings hooks are guarded by CCVIEWER_PORT and marked cc-viewer-managed for cleanup.
- AI-agent and shell mutations are user-invoked CLI flows, not npm install-time execution.
- server/proxy.js binds Anthropic proxy to 127.0.0.1 and server.js uses token/password auth for LAN access.
- server/lib/updater.js registry fetch is package self-update checking, not payload download/execution by default.
- server/routes/skills.js upload/import code validates names, zip type, size, symlink entries, and path containment.
Source & flagged code
8 flagged · loading sourcePackage source references a known benign dynamic code generation pattern.
dist/assets/jszip.min-d8dJpMtW.jsView on unpkg · L11Package source references dynamic require/import behavior.
dist/assets/livescript-Bw1Vw7Ae.jsView on unpkg · L1Package source references weak cryptographic algorithms.
server/lib/claude-md-discovery.jsView on unpkg · L7Source writes installer persistence such as shell profile or service configuration.
server/lib/terminal-env.jsView on unpkg · L7Manifest entrypoint contains risky behavior absent from dist/build output.
server/interceptor.jsView on unpkg · L12Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
server/routes/skills.jsView on unpkg · L112A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
server/routes/skills.jsView on unpkg