AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. The package is an explicitly launched Electron application that integrates Copilot CLI with optional Microsoft Teams automation.
Decision evidence
public snapshot- `dist/electron/main.js` obtains Azure CLI tokens and calls Microsoft Graph/Teams.
- `dist/electron/terminal/server.js` launches configured Copilot CLI sessions, including optional `--yolo` mode.
- `dist/electron/main.js` runs a development file watcher only when the Electron app starts.
- `package.json` has no preinstall, install, or postinstall lifecycle hook.
- `bin/copilotoffice.js` only launches the packaged Electron application on explicit CLI invocation.
- Token use targets declared Microsoft Graph and Teams endpoints; no arbitrary exfiltration endpoint found.
- No source writes agent-control configuration, VCS hooks, startup persistence, or remote payload loader.
Source & flagged code
5 flagged · loading sourcePackage source references child process execution.
bin/copilotoffice.jsView on unpkg · L2This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/electron/main.jsView on unpkgSource gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
dist/electron/main.jsView on unpkg · L28Package source invokes a package manager install command at runtime.
dist/electron/main.jsView on unpkg · L2976Package contains source files above the static scanner size ceiling.
dist/game.bundle.jsView on unpkg