AI Security Review
scanned 5h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Decision evidence
public snapshot- scripts/pts-claudecode-discord-bridge.mjs reads DISCORD_BOT_TOKEN from $HOME/.claude/channels/discord/.env
- scripts/pts-claudecode-discord-bridge.mjs connects a Discord bot and runs /opt/homebrew/bin/claude with --permission-mode bypassPermissions
- scripts/com.pts.claudecode.discord.plist is a launchd KeepAlive/RunAtLoad persistence descriptor for the bridge
- scripts/start-pts-claudecode-discord.sh starts the bridge in a detached screen session and writes logs/locks under $HOME/.claude
- Bridge prompt permits direct source edits in a hardcoded Lattice AI workspace from Discord messages
- package.json has no preinstall/install/postinstall lifecycle hook
- bin/ltcai.js is a user-invoked CLI that bootstraps Python deps and runs ltcai_cli.py
- desktop/electron/main.cjs starts a local backend and loads http://127.0.0.1:8765/app with sandboxed renderer settings
- scripts/lint_frontend.mjs and scripts/run_integration_tests.mjs are development/test scripts, not install-time execution
- No inspected code automatically installs the launchd plist or bridge during npm install
Source & flagged code
6 flagged · loading sourceA single source file combines environment access, network access, and code or shell execution; review context before blocking.
scripts/run_integration_tests.mjsView on unpkg · L1Package source invokes a package manager install command at runtime.
scripts/lint_frontend.mjsView on unpkg · L31Package ships non-JavaScript build or shell helper files.
telegram_bot.pyView on unpkgPackage ships high-entropy non-source blobs.
static/vendor/icons/tabler-icons.woff2View on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
desktop/electron/main.cjsView on unpkg