AI Security Review
scanned 4d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The package is an AI coding CLI with user-invoked shell, file, web, MCP, screenshot, and eval tools, plus local config/session storage.
Decision evidence
public snapshot- package.json defines postinstall: node scripts/postinstall.js
- dist/tools/builtin/terminal.js, eval.js, files.js expose shell/eval/write primitives at runtime
- dist/index.js startup performs update check and codebase indexing
- dist/tools/mcp/manager.js can add MCP server configs from registry
- scripts/postinstall.js only creates ~/.daedalus; no network, spawn, or payload drop
- Terminal removes sensitive env keys and gates install commands unless approved
- eval_code requires interactive TTY approval before executing snippets
- Network use is package-aligned: model endpoints, update check, web/MCP tools
- File writes are CLI tool/session/config behavior under project or ~/.daedalus
- No credential harvesting, persistence outside config, destructive install hook, or exfiltration found
Source & flagged code
9 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgPackage source references child process execution.
dist/tools/mcp/stdio.test.jsView on unpkg · L2Package source invokes a package manager install command at runtime.
dist/tools/builtin/files.jsView on unpkg · L187Package source references dynamic require/import behavior.
dist/tools/executor.jsView on unpkg · L9Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.
dist/tools/builtin/screenshot.jsView on unpkg · L10Package ships non-JavaScript build or shell helper files.
Daedalus.batView on unpkgThis package version adds a dangerous source file absent from the previous stored version.
dist/agents/orchestrator.test.jsView on unpkg