AI Security Review
scanned 2h ago · by lpm-firewall-aiThis is an explicit MCP remote-assistance agent with high-impact capabilities. A connected expert can read/write approved project files and run arbitrary shell commands after the user grants scopes.
Decision evidence
public snapshot- `dist/index.js` connects to a default third-party relay and accepts an expert WebRTC channel.
- `dist/index.js` exposes file read/write and shell command execution to the connected expert.
- PTY support launches the user shell with inherited environment after Terminal access is granted.
- Relay registration sends customer name, project directory, and issue metadata.
- `package.json` has no preinstall, install, or postinstall lifecycle hook.
- `request_expert_help` requires MCP elicitation approval; missing elicitation fails closed.
- `PermissionGate` confines file paths to the chosen project directory and gates terminal/browser access.
- `revoke_access` kills PTYs and `end_session` revokes scopes and tears down the peer.
- No `eval`, `Function`, decoded-payload execution, or remote code-loading primitive was found.
Source & flagged code
4 flagged · loading sourceSource fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.
dist/index.jsView on unpkg · L194A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/index.jsView on unpkg