AI Security Review
scanned 4h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Decision evidence
public snapshot- `src/agent.ts` implements model-directed shell execution, file edits/deletes, database queries, MCP calls, and web fetch.
- `src/agent.ts` permits actions after interactive confirmation or configured `allow` rules; command execution is not confined to the package directory.
- `src/usercommands.ts` expands user-created `!` shell substitutions from `~/.iuri/commands` and project `.iuri/commands`.
- `src/mcptools.ts` exposes write/exec/delete MCP tools only when the user starts it with write access.
- `src/db.ts` can run `npm install <driver>` on demand for an explicitly requested database driver.
- `package.json` has only `prepublishOnly`; no install-time lifecycle hook runs for consumers.
- `bin/iuri.ts` is the sole package entrypoint and activates behavior only when the user runs `iuri`.
- `src/agent.ts` gates mutating tools with confirmation, permission rules, and extra warning for writes outside the project.
- No bidi control characters were found in `src/usercommands.ts` or `dist/src/usercommands.js`; the scanner Trojan Source claim is unsupported.
- No source path shows credential harvesting, hidden exfiltration, remote payload download/execution, or AI-agent configuration mutation.
Source & flagged code
3 flagged · loading sourceSource contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
dist/src/usercommands.jsView on unpkg · L26A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/src/usercommands.jsView on unpkgPackage ships non-JavaScript build or shell helper files.
src/edge_tts_server.pyView on unpkg