AI Security Review
scanned 2h ago · by lpm-firewall-aiExplicit review execution can run an agent command supplied by repository-local `.codesema/config.json`. This is a local configuration-injection/RCE risk, not install-time behavior.
Decision evidence
public snapshot- dist/index.mjs loads repo `.codesema/config.json` and accepts its `agent` string.
- dist/index.mjs `review()` uses configured `agent` when no CLI override is supplied.
- dist/index.mjs `runAgent()` executes that string via `spawn(..., { shell: true })` in the repo.
- A repository-controlled config can therefore cause arbitrary local command execution when the user explicitly runs `codesema review`.
- package.json has no preinstall/install/postinstall hook.
- All writes are review/config artifacts under `.codesema` or the user's codesema config directory.
- Built-in server binds only to `127.0.0.1`; UI uses local `/api/*` endpoints.
- No fixed external endpoint, credential harvesting, payload download, destructive deletion, or agent-control-surface mutation was found.
Source & flagged code
3 flagged · loading sourcedist/index.mjs loads repo `.codesema/config.json` and accepts its `agent` string.
dist/index.mjsView on unpkgdist/index.mjs `review()` uses configured `agent` when no CLI override is supplied.
dist/index.mjsView on unpkgdist/index.mjs `runAgent()` executes that string via `spawn(..., { shell: true })` in the repo.
dist/index.mjsView on unpkg