AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Decision evidence
public snapshot- `src/shared/policy-contract.json` defaults to `full`, enabling writes, shell execution, unrestricted paths, and full environment.
- `bin/machine-mcp.mjs` starts `src/local/cli.mjs`, whose `stdio` service exposes MCP tool calls.
- `src/local/process-execution.mjs` implements policy-gated direct and shell process execution for MCP calls.
- `src/shared/tool-catalog.json` includes full-profile filesystem, browser, application, and command-execution capabilities.
- `package.json` has no `preinstall`, `install`, `postinstall`, or `prepare` hook; only publish-time checks are present.
- `client-config` in `src/local/cli.mjs` prints configuration snippets rather than modifying Claude, Cursor, or Codex settings.
- `src/local/full-access-test.mjs` writes SSH material only under a temporary test directory and removes it in cleanup.
- Network relay code accepts a configured WebSocket URL; no hard-coded exfiltration endpoint was found in inspected runtime sources.
Source & flagged code
6 flagged · loading sourcePackage source references child process execution.
scripts/generate-worker-types.mjsView on unpkg · L1A single source file combines environment access, network access, and code or shell execution; review context before blocking.
scripts/prepare-pinned-npm.mjsView on unpkg · L1Source writes persistence or remote-access backdoor material.
src/local/full-access-test.mjsView on unpkg · L22A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
src/local/full-access-test.mjsView on unpkg · L22