AI Security Review
scanned 20h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Decision evidence
public snapshot- dist/main.js launches `claude --dangerously-skip-permissions` by default in the user-invoked `claude` subcommand.
- dist/paths-D0tJ_tms.js creates a router-owned Claude config mirror and injects synthetic `.credentials.json` and `.claude.json` onboarding/permission fields.
- dist/main.js writes MCP server config and subagent markdown files into the per-launch mirror for Claude subagents.
- dist/peer-mcp-personas-BQVOxB1i.js exposes agent-facing worker/browser/search tools, including write-capable worker modes when enabled.
- package.json has only `prepare: (simple-git-hooks || true)`, with no install/postinstall hook in the published package.
- Dangerous Claude/MCP setup is activated by explicit `github-router claude`, not import-time or npm install-time execution.
- Claude control-surface writes are scoped to `~/.local/share/github-router/claude-config/<pid>-<rand>` and cleaned on shutdown.
- Network endpoints are package-aligned for a GitHub Copilot reverse proxy.
Source & flagged code
6 flagged · loading sourcePackage source references child process execution.
dist/peer-mcp-personas-BQVOxB1i.jsView on unpkg · L12Source exposes local file and command tools to a remote model endpoint.
dist/peer-mcp-personas-BQVOxB1i.jsView on unpkg · L12Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
dist/peer-mcp-personas-BQVOxB1i.jsView on unpkg · L1Package source references dynamic require/import behavior.
dist/peer-mcp-personas-BQVOxB1i.jsView on unpkg · L32This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/main.jsView on unpkg