AI Security Review
scanned 3h ago · by lpm-firewall-aiNo confirmed malicious attack surface was established by source inspection. The package is an AI development orchestrator with user-invoked CLI/web workflows that can manage local project state, hooks, worktrees, and agent processes.
Decision evidence
public snapshot- Hook library writes .claude/settings.json and provides .opencode/.codex/.jonggrang hook mappings when user initializes/uses the tool.
- CLI web command can run npm install/build only when user invokes `jonggrang web` and bundled deps/build are missing.
- package.json has no preinstall/install/postinstall lifecycle scripts.
- bin/jonggrang.js is a user-invoked CLI; install commands are dependency repair/build steps under package/client dirs, not automatic install-time execution.
- server.js binds local dashboard to 127.0.0.1 by default with trusted-origin checks and serves packaged client assets.
- apis/secrets/index.js stores user-submitted secrets in local webState and does not exfiltrate them.
- Network use is package-aligned: GitHub/GitLab issue APIs and user-configured SSH/git operations for developer workflow.
- child_process usage launches declared tools (git, docker, ssh, node, opencode, claude) for orchestration; no remote payload download/execution found.
Source & flagged code
14 flagged · loading sourcePackage contains a critical-looking secret pattern.
client/dist/assets/SettingsView-B1MTq8v-.jsView on unpkg · L164OpenSSH private key in client/dist/assets/SettingsView-B1MTq8v-.js
client/dist/assets/SettingsView-B1MTq8v-.jsView on unpkg · L164Package source references child process execution.
apis/projects/orchestration-run.jsView on unpkg · L16Package source references dynamic require/import behavior.
apis/secrets/index.jsView on unpkg · L2Package source references weak cryptographic algorithms.
lib/bot-reviewer/index.jsView on unpkg · L1Source writes installer persistence such as shell profile or service configuration.
hooks/pi/jonggrang-extension.tsView on unpkg · L17This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
bin/jonggrang.jsView on unpkgSource launches a detached bundled service that exposes a broad-bound HTTP listener.
bin/jonggrang.jsView on unpkg · L9Package source invokes a package manager install command at runtime.
bin/jonggrang.jsView on unpkg · L2807Package ships non-JavaScript build or shell helper files.
hooks/claude/secret-final-check.shView on unpkgPackage ships high-entropy non-source blobs.
client/dist/assets/primeicons-C6QP2o4f.woff2View on unpkgHardcoded password in skills/library/testing/unit-testing-patterns/SKILL.md
skills/library/testing/unit-testing-patterns/SKILL.mdView on unpkg · L17OpenSSH private key in client/dist/assets/ProjectSettingsView-C0Hs5bFS.js
client/dist/assets/ProjectSettingsView-C0Hs5bFS.jsView on unpkg · L1