AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Decision evidence
public snapshot- `dist/cli/init.js` maps explicit `init` flavors to `AGENTS.md`, `CLAUDE.md`, `GEMINI.md`, Copilot, and Cursor rule paths.
- `runInit` writes those files under the caller's project directory and supports overwriting with `--force`.
- `dist/cli/index.js` invokes `runInit` only for the user-requested `craftdriver init` command.
- `package.json` has only `prepublishOnly`; no install, preinstall, or postinstall hook executes for consumers.
- `bin/craftdriver.mjs` only loads the package CLI when the user invokes it.
- Agent-guide content documents browser-automation usage; no credential harvesting, exfiltration, or remote payload path was found.
- `dist/lib/driverManager.js` network use is driver resolution from Chrome-for-Testing and GitHub APIs, aligned with WebDriver functionality.
- `docs/public/traces/vitest-login.zip` is a bundled documentation trace archive, not an executed payload.
Source & flagged code
10 flagged · loading sourceSource spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
dist/cli/index.jsView on unpkg · L12A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/lib/driverManager.jsView on unpkg · L25Package source references a known benign dynamic code generation pattern.
dist/lib/clock.jsView on unpkg · L116Package source references dynamic require/import behavior.
bin/craftdriver.mjsView on unpkg · L23Package ships high-entropy non-source blobs.
docs/public/traces/vitest-login.zipView on unpkgPackage ships compressed or archive-like blobs.
docs/public/traces/vitest-login.zipView on unpkgPackage ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.
docs/public/traces/vitest-login.zipView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/lib/vibiumTrace.jsView on unpkg