AI Security Review
scanned 3h ago · by lpm-firewall-aiThe CLI can install a per-user background tracker that starts at login and restarts after exits. This is explicit/interactive first-party persistence, not install-time execution or a foreign AI-agent control-surface mutation.
Decision evidence
public snapshot- `dist/service.js` writes per-user boot-persistent service artifacts.
- Linux/macOS/Windows registration invokes `systemctl`, `launchctl`, or `reg add`.
- Windows artifact is a hidden VBS loop that restarts `grindeasy` indefinitely.
- `dist/index.js` offers background installation after leaderboard pairing, defaulting to yes.
- `package.json` has no install, postinstall, or preinstall hook.
- Service setup is reached by `grindeasy service install` or an interactive prompt, not installation.
- `dist/sync.js` sends only aggregate tool totals, plan, combos, and agent version after opt-in pairing.
- `dist/fsScan.js` reads only metadata timestamps, not AI-tool file contents.
- No dynamic code loading, eval, shell interpolation, credential harvesting, or remote payload execution found.
Source & flagged code
2 flagged · loading sourceThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/service.jsView on unpkgSource writes installer persistence such as shell profile or service configuration.
dist/service.jsView on unpkg · L1