AI Security Review
scanned 7h ago · by lpm-firewall-aiAn explicitly approved remote expert can read/write scoped files, run a shell, and access one localhost browser port. The intended project-file boundary can be bypassed through existing symlinks because paths are not realpath-checked.
Decision evidence
public snapshot- `dist/index.js` exposes remote shell, PTY, file read/write, and browser tools.
- `run_command` uses `spawn(..., { shell: true })` after terminal consent.
- File containment is lexical; pre-existing project symlinks can escape `projectDir`.
- Relay registration sends project directory and issue text to Railway WebSocket.
- `package.json` has no preinstall/install/postinstall lifecycle hook.
- Session access requires explicit MCP elicitation and scope approval.
- Scopes are revocable; terminal PTYs are killed on revocation.
- No decoded remote payload execution, eval, or downloader is present; base64 is a browser screenshot.
Source & flagged code
4 flagged · loading sourceSource fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.
dist/index.jsView on unpkg · L194A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/index.jsView on unpkg