AI Security Review
scanned 3h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Decision evidence
public snapshot- bin/mcp-setup.mjs can create project .mcp.json or run `claude mcp add` only when its setup CLI is invoked.
- dist/index.js and dist/server.js expose agent/browser control primitives including browser-context eval and local REST/WebSocket commands.
- dist/index.js can spawn shell commands from haltija.json tool config and write screenshots/files under requested server features.
- package.json has no preinstall/install/postinstall lifecycle hooks.
- MCP/Claude config writes are tied to explicit flags or setup binaries, not install-time execution.
- Network use is local/package-aligned: localhost ports 8700/8701 and ws://localhost browser bridge.
- bin/tosijs-dev.mjs runtime install behavior is Electron fallback via npx after user launches CLI, not import/install-time payload execution.
- dist/hj.js obfuscation-like content appears bundled CodeMirror/minified parser data, not hidden package bootstrap code.
Source & flagged code
9 flagged · loading sourceSource downloads or fetches remote code and executes it.
bin/tosijs-dev.mjsView on unpkg · L14Package source references child process execution.
bin/tosijs-dev.mjsView on unpkg · L14Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
bin/tosijs-dev.mjsView on unpkg · L14Package source invokes a package manager install command at runtime.
bin/tosijs-dev.mjsView on unpkg · L5A single source file combines environment access, network access, and code or shell execution; review context before blocking.
apps/desktop/main.jsView on unpkg · L23A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/index.jsView on unpkg · L49Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.
dist/index.jsView on unpkg · L49Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
dist/hj.jsView on unpkg · L558