AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The package is an explicit self-hosted trading agent that runs only through its lifecycle build hook or user-invoked CLI/worker commands.
Decision evidence
public snapshot- package.json uses only a prepare hook, which runs cli/build.mjs to build the bundled dashboard.
- cli/build.mjs invokes the package-local Next binary and exits successfully on build failure; it does not fetch or modify user secrets.
- cli/bin.mjs performs network calls only for configured chain RPC, Telegram diagnostics, and explicit user commands.
- worker/src/strategies/custom.ts imports only a user-selected, name-validated strategy from ~/.merrymen/strategies.
- Writes and deletions are limited to the package's ~/.merrymen state, including explicit kill-switch grant removal.
- web/.next is a generated Next.js build artifact, explaining the oversized vendor chunk hint.
Source & flagged code
5 flagged · loading sourcePackage source references dynamic require/import behavior.
worker/src/strategies/custom.tsView on unpkg · L135Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
cli/bin.mjsView on unpkg · L20This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
cli/bin.mjsView on unpkgPackage hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.
web/.next/server/vendor-chunks/next.jsView on unpkgPackage contains source files above the static scanner size ceiling.
web/.next/server/vendor-chunks/next.jsView on unpkg