AI Security Review
scanned 1h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack chain, but the package intentionally provides an AI agent with local command/file capabilities and optional browser automation. Activation is explicit CLI/server use or configured cron/webhook input, not npm install.
Decision evidence
public snapshot- src/agents/jeeves.ts creates an AI agent with local() sandbox and instructions advertising bash/write/read/ls/rm/mkdir tools.
- src/app.ts dispatches prompts from ~/.jeeves/schedules.yaml on cron and from Telegram webhook text when TELEGRAM_BOT_TOKEN is set.
- src/app.ts can spawn npx @playwright/mcp@latest when JEEVES_MCP_BROWSER=true.
- src/cli/server.mjs copies project files into ~/.jeeves/project and spawns npx @flue/cli dev on explicit jeeves serve/chat flow.
- package.json has no preinstall/install/postinstall lifecycle hooks.
- bin/jeeves.js only dispatches explicit CLI subcommands via local imports.
- src/tools/web.ts sends only user tool inputs plus TAVILY_API_KEY to Tavily endpoints for search/extract.
- setup/config/schedules write package-owned .env or ~/.jeeves files, with no foreign AI-agent control-surface mutation found.
- No credential harvesting, stealth persistence, destructive import-time behavior, or remote payload loader found in inspected source.
Source & flagged code
6 flagged · loading sourcePackage source invokes a package manager install command at runtime.
src/app.tsView on unpkg · L20Source writes installer persistence such as shell profile or service configuration.
src/cli/schedules.mjsView on unpkg · L13This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
src/cli/server.mjsView on unpkgA single source file combines environment access, network access, and code or shell execution; review context before blocking.
src/cli/server.mjsView on unpkg · L76