AI Security Review
scanned 2d ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Decision evidence
public snapshot- `dist/bundle.js` exposes MCP `solve`/`evolve` tools that launch `claude -p`.
- Tool inputs accept arbitrary `verify_cmd` and `fitness_cmd`, executed with `execSync`.
- Evolution workflow stashes, checks out, cleans, applies Git patches, and reads target files.
- Runtime passes `DEEPSEEK_API_KEY` to Claude/DeepSeek configuration.
- `package.json` has only `prepublishOnly`; no install-time lifecycle hook.
- MCP server starts over stdio and waits for explicit tool calls.
- Network targets are a local proxy and DeepSeek API, matching declared functionality.
- No credential harvesting, hidden exfiltration, persistence, or foreign agent-config mutation found.
Source & flagged code
3 flagged · loading sourceSource combines command execution, command-output handling, and outbound requests; review data flow before blocking.
dist/bundle.jsView on unpkg · L21090Package source references a known benign dynamic code generation pattern.
dist/bundle.jsView on unpkg · L2941