AI Security Review
scanned 2h ago · by lpm-firewall-aiOn ordinary CLI invocation, the package checks the npm registry and may launch a detached global self-update without an interactive confirmation. The AI-agent skill mirroring path is command-driven rather than install-time.
Decision evidence
public snapshot- `dist/cli.js` checks npm for updates during ordinary CLI runs.
- `dist/cli.js` silently spawns detached `npm`/`pnpm`/`bun` global self-updates for newer non-major releases.
- `dist/cli.js` can link skills into detected AI-agent directories, but only from the explicit `skills` flow.
- `package.json` defines no preinstall/install/postinstall lifecycle hook.
- No source evidence of credential harvesting, arbitrary payload download, or secret exfiltration.
- Agent-directory mutations are restricted to package skills and occur after explicit skills installation/update.
- Telemetry targets PostHog and is disableable through documented environment/config controls.
Source & flagged code
3 flagged · loading sourcePackage contains source files above the static scanner size ceiling.
dist/studio/index.jsView on unpkgPackage contains an oversized executable-looking CLI entrypoint.
dist/cli.jsView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/hyperframes-slideshow.global.jsView on unpkg