AI Security Review
scanned 3h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The user-invoked CLI performs local mutation testing; optional static hook templates invoke it after explicit configuration.
Decision evidence
public snapshot- `mutation/prove.mjs` executes configured project test runners and temporarily mutates copied project files.
- `mutation/gate.mjs` supports explicit AI-agent Stop-hook responses and stores a Git-local memo.
- `hooks/session-start` writes `<git-dir>/gutcheck-baseline` when its static hook template is installed.
- `package.json` contains no `preinstall`, `install`, or `postinstall` lifecycle hook.
- No network client imports, network requests, dynamic loaders, `eval`, or `Function` calls were found.
- `mutation/prove.mjs` restores temporary mutations and removes its temp workspace in `finally`.
- Hook configurations are static templates; no code writes `.claude`, `.codex`, `.cursor`, Copilot, or other agent configuration.
- Subprocess use is local Git, Python AST helper, and user-project test runners.
Source & flagged code
5 flagged · loading sourcePackage source references child process execution.
mutation/probe.mjsView on unpkg · L12Package source references weak cryptographic algorithms.
mutation/lock.mjsView on unpkg · L23Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
mutation/gate.mjsView on unpkg · L12Package ships non-JavaScript build or shell helper files.
mutation/py_blocks.pyView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
mutation/gutcheck.mjsView on unpkg