AI Security Review
scanned 3h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. The CLI can persist itself as a per-user background tracker after explicit onboarding consent or an explicit service command. It can submit aggregate activity totals to the configured leaderboard endpoint after account pairing; no unconsented install-time behavior is present.
Decision evidence
public snapshot- `dist/service.js` installs per-user boot-persistent systemd, launchd, or Windows Run-key artifacts.
- Service installation is user-confirmed in `dist/onboarding.js` or invoked through `grindeasy service install`.
- `dist/service.js` uses `execFile` only for platform service registration and cleanup commands.
- `package.json` has no install, preinstall, or postinstall lifecycle hook.
- `dist/fsScan.js` reads only directory/file metadata, not AI-session contents.
- `dist/sync.js` sends aggregate tool-time totals only when a paired account token is configured.
- No eval, dynamic module loading, binary loading, credential harvesting, or remote payload execution was found.
Source & flagged code
2 flagged · loading sourceThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/service.jsView on unpkgSource writes installer persistence such as shell profile or service configuration.
dist/service.jsView on unpkg · L1