AI Security Review
scanned 2h ago · by lpm-firewall-aiThe CLI provides explicit interactive shell access and proctored-exam telemetry. In exam mode it can report shell input and detected AI binaries to the ICOA service; no install-time attack behavior was found.
Decision evidence
public snapshot- `dist/lib/exam-sandbox.js` detects installed AI CLIs and POSTs detection data.
- `dist/lib/exam-sandbox.js` records exam shell input, risk flags, device data, and auth identity to `practice.icoa2026.au`.
- `dist/commands/shell.js` explicitly launches an interactive host shell when Docker is unavailable.
- `dist/commands/ctf4ai-demo.js` and `dist/commands/ctf4vla.js` are deliberately obfuscated, limiting auditability.
- `package.json` postinstall only displays progress; `dist/postinstall.js` has no network, file, or process mutation.
- No `eval`, `Function`, VM execution, or hidden lifecycle payload was confirmed.
- `dist/lib/tool-man.js` reverse-shell-like strings are CTF tool documentation, not executed socket code.
- Observed network calls are to the package's ICOA competition endpoints and are reached by CLI/exam features.
- No writes to AI-agent configuration files or credential-harvesting paths were found.
Source & flagged code
12 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgA single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/repl.jsView on unpkg · L1Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
dist/repl.jsView on unpkg · L1Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.
dist/commands/ctf4ai-demo.jsView on unpkg · L1Package source references dynamic require/import behavior.
dist/commands/ctf4ai-demo.jsView on unpkg · L1Source writes installer persistence such as shell profile or service configuration.
dist/commands/env.jsView on unpkg · L1Source matches reverse-shell style process and socket wiring.
dist/lib/tool-man.jsView on unpkg · L1A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/lib/tool-man.jsView on unpkg · L1Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
dist/commands/demo2.jsView on unpkg · L1This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/commands/ctf4vla.jsView on unpkg