AI Security Review
scanned 1d ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious install-time attack surface was found. The package is an AI workflow platform with explicit installer features that can place agent instructions/hooks and register MCP servers with file read/write tools.
Decision evidence
public snapshot- User-invoked `maestro install` can copy packaged `.claude`, `.codex`, `.agents`, and `.agy` agent assets into home/project locations.
- `dist/src/commands/install-backend.js` can opt-in register `maestro-tools` MCP in Claude, Codex, Cursor, Qoder, Trae, Kiro, Roo, VS Code, and Gemini configs.
- Registered MCP tool list includes `write_file`, `edit_file`, `read_file`, and `read_many_files`.
- Dashboard/agent code supports agent permission modes including `dontAsk`/`bypassPermissions`, but not from npm lifecycle execution.
- `package.json` has no install/postinstall/prepare hook; only `prepublishOnly` for publisher-side build.
- Agent/control-surface writes are behind explicit CLI/TUI actions such as `maestro install`, `--force`, `--mcp`, `--codex-mcp`, or `--extra-mcp`.
- `bin/maestro.js` only relaunches the same CLI with WASM flags before importing `dist/src/cli.js`.
- `dist/src/commands/view.js` and `stop.js` use localhost dashboard endpoints and local process management, not external exfiltration.
- Scanner payload hint file is a readable Python test script, not a hidden binary payload.
- No credential harvesting or hardcoded external exfiltration endpoint was confirmed in inspected hot files.
Source & flagged code
12 flagged · loading sourcePackage source references dynamic require/import behavior.
dist/src/migrations/_template.jsView on unpkg · L44Package source references weak cryptographic algorithms.
dist/src/tools/core-memory.jsView on unpkg · L31A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/src/commands/view.jsView on unpkg · L181Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
dist/src/commands/view.jsView on unpkg · L196Package source invokes a package manager install command at runtime.
dist/src/commands/view.jsView on unpkg · L116Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
dashboard/dist-server/dashboard/src/server/routes/mcp.jsView on unpkg · L10Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
dist/src/tools/impeccable/live/server.jsView on unpkg · L1Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.
.agents/skills/team-adversarial-swarm/scripts/test_aco.pyView on unpkgPackage ships non-JavaScript build or shell helper files.
.agents/skills/team-adversarial-swarm/scripts/test_aco.pyView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/src/config/cli-tools-config.jsView on unpkg