AI Security Review
scanned 5h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Decision evidence
public snapshot- `src/local/daemon.mjs` opens an authenticated WebSocket relay and executes received `tool_call` requests.
- `src/local/daemon.mjs` supports filesystem mutation, process spawning, and shell execution under the full policy.
- `src/local/service.mjs` implements persistent user autostart, invoked from explicit `start`/service commands.
- `src/local/full-access-test.mjs` generates SSH material and runs commands, demonstrating high host-control capability.
- `package.json` has only `prepublishOnly`; no install-time lifecycle hook runs for consumers.
- `src/local/full-access-test.mjs` uses a `mkdtemp` sandbox and recursively removes it in `finally`.
- No inspected source harvests credentials, exfiltrates files, downloads payloads, or silently edits AI-client configuration.
- Autostart is an explicit CLI-start feature, not an install-time persistence action.
Source & flagged code
4 flagged · loading sourceSource writes persistence or remote-access backdoor material.
src/local/full-access-test.mjsView on unpkg · L21A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
src/local/full-access-test.mjsView on unpkg · L21This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
src/local/daemon.mjsView on unpkg