AI Security Review
scanned 2d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The risky primitives are local browser automation, CLI server control, MCP setup, eval, shell, and file-write features that match the package purpose and require user/runtime invocation.
Decision evidence
public snapshot- package.json has no preinstall/install/postinstall hooks; bins are user-invoked.
- bin/tosijs-dev.mjs starts local server/app and only writes Claude config for explicit --setup-mcp.
- bin/mcp-setup.mjs creates/removes .mcp.json only when executed as setup tool.
- dist/server.js exposes browser-control eval, shell, and file-write APIs as documented local agent features.
- dist/server.js supports HALTIJA_TOKEN checks for REST/WebSocket when configured.
- dist/hj.js Unicode findings are test/formatter sample strings, not hidden control-flow payloads.
Source & flagged code
9 flagged · loading sourceSource downloads or fetches remote code and executes it.
bin/tosijs-dev.mjsView on unpkg · L14Package source references child process execution.
bin/tosijs-dev.mjsView on unpkg · L14Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
bin/tosijs-dev.mjsView on unpkg · L14Package source invokes a package manager install command at runtime.
bin/tosijs-dev.mjsView on unpkg · L5A single source file combines environment access, network access, and code or shell execution; review context before blocking.
apps/desktop/main.jsView on unpkg · L23A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/index.jsView on unpkg · L49Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.
dist/index.jsView on unpkg · L49Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
dist/hj.jsView on unpkg · L558