AI Security Review
scanned 2d ago · by lpm-firewall-aiThe package is a local AI/browser control server with high-risk capabilities exposed over HTTP. By default it has no token requirement and permits broad CORS/private-network access, so this is a dangerous capability surface rather than confirmed malware.
Decision evidence
public snapshot- dist/server.js exposes unauthenticated REST by default unless HALTIJA_TOKEN is set
- dist/server.js sets Access-Control-Allow-Origin:* and Access-Control-Allow-Private-Network:true
- dist/server.js /terminal command path executes shell commands via spawn("sh", ["-c", fullCommand])
- dist/server.js /files/read and /files/write read/write arbitrary absolute paths requested over REST
- dist/server.js can spawn claude -p with --permission-mode dontAsk and broad allowed tools
- bin/mcp-setup.mjs writes .mcp.json/Claude config only when setup command is invoked
- package.json has no install/preinstall/postinstall lifecycle hooks
- Dangerous shell/browser/agent controls match the declared browser-control-for-AI-agents purpose
- Network endpoints are local server URLs and documented examples, not external exfiltration hosts
- dist/hj.js invisible Unicode occurs in EVIL_UNICODE test data, not executable control flow
- MCP/Claude config mutation is explicit CLI setup, not import-time or install-time
- No credential harvesting or hardcoded exfiltration endpoint found
Source & flagged code
10 flagged · loading sourceSource downloads or fetches remote code and executes it.
bin/tosijs-dev.mjsView on unpkg · L14Package source references child process execution.
bin/tosijs-dev.mjsView on unpkg · L14Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
bin/tosijs-dev.mjsView on unpkg · L14Package source invokes a package manager install command at runtime.
bin/tosijs-dev.mjsView on unpkg · L5A single source file combines environment access, network access, and code or shell execution; review context before blocking.
apps/desktop/main.jsView on unpkg · L23A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/index.jsView on unpkg · L49Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.
dist/index.jsView on unpkg · L49Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
dist/hj.jsView on unpkg · L558This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
bin/cli-subcommand.mjsView on unpkg