AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious behavior was found. The main risk is a user-invoked local dashboard that reads Claude/OpenCode history and may expose parsed local session data if bound to an untrusted interface.
Decision evidence
public snapshot- src/server.js exposes local API routes returning parsed Claude/OpenCode session content
- src/parser.js joins decoded route params into PROJECTS_DIR without path normalization checks
- bin/index.js allows --host/HOST override, so user can bind the dashboard beyond loopback
- package.json has no preinstall/install/postinstall lifecycle scripts
- No child_process, eval, remote payload loading, credential harvesting, persistence, or destructive writes found
- Default host is 127.0.0.1 and behavior is package-aligned: local Claude/OpenCode analytics dashboard
- Network use is limited to local Express API fetches and a frontend CDN script
Source & flagged code
3 flagged · loading sourcesrc/server.js exposes local API routes returning parsed Claude/OpenCode session content
src/server.jsView on unpkgsrc/parser.js joins decoded route params into PROJECTS_DIR without path normalization checks
src/parser.jsView on unpkgbin/index.js allows --host/HOST override, so user can bind the dashboard beyond loopback
bin/index.jsView on unpkg