AI Security Review
scanned 2h ago · by lpm-firewall-aiInstallation automatically modifies the consuming Git project and configures a hardcoded remote SonarQube service. The persisted pre-commit hook scans the project with `sonar.sources=.` and sends analysis to that service.
Decision evidence
public snapshot- `package.json` runs `bin/index.js init` automatically at `postinstall`.
- `bin/index.js` changes into the installing project and installs tooling, hooks, and configs.
- `lib/sonarqube.js` defaults to a hardcoded remote SonarQube host and embedded service token.
- `lib/sonarqube.js` sends the local Git email to create a remote user and grants that user project admin access.
- `lib/hooks.js` persists a pre-commit hook that invokes SonarQube scanning.
- Generated `sonar-project.properties` sets `sonar.sources=.` for the remote scanner.
- Network use for Gitleaks targets its named upstream release endpoint.
- README discloses automated Husky, Gitleaks, and SonarQube setup rather than concealing it.
- No source evidence of credential-file harvesting, shell payload download, or AI-agent configuration writes.
Source & flagged code
9 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgPackage source references dynamic require/import behavior.
bin/index.jsView on unpkg · L10A single source file combines environment access, network access, and code or shell execution; review context before blocking.
lib/sonarqube.jsView on unpkg · L6Package source invokes a package manager install command at runtime.
lib/husky.jsView on unpkg · L28Package ships non-JavaScript build or shell helper files.
templates/github-template/scripts/run-all-scans.shView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
lib/packageManager.jsView on unpkg