AI Security Review
scanned 4h ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. The package intentionally provides local MCP automation, including optional shell and filesystem access, only after explicit runtime invocation and policy selection.
Decision evidence
public snapshot- `src/local/tools.mjs` defines an explicit `full` profile with shell execution, writes, unrestricted paths, and inherited environment.
- `src/local/full-access-test.mjs` exercises SSH key generation and file writes, but only under a user-invoked test command and a fresh temporary directory.
- `package.json` has no `preinstall`, `install`, or `postinstall` lifecycle hook; `prepublishOnly` is publisher-only.
- `bin/machine-mcp.mjs` only invokes the CLI after the user runs a package binary.
- `src/local/cli.mjs` exposes privileged behavior through explicit commands/profile flags, including `full-test`, `start`, and `resource`.
- `src/local/full-access-test.mjs` creates its test root with `mkdtemp` and removes it in `finally`; its `authorized_keys` file is temporary.
- `src/local/tools.mjs` has restrictive `review`, `edit`, and `agent` profiles; shell execution is gated to `full`.
- `src/local/relay-connection.mjs` uses a configured Worker URL and a required daemon secret rather than a hard-coded exfiltration endpoint.
Source & flagged code
4 flagged · loading sourceSource writes persistence or remote-access backdoor material.
src/local/full-access-test.mjsView on unpkg · L21A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
src/local/full-access-test.mjsView on unpkg · L21This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
src/local/job-runner.mjsView on unpkg