AI Security Review
scanned 3h ago · by lpm-firewall-aiAt runtime, the local bridge discloses its shell-route credential through unauthenticated `/api/status`. Browser origins allowed by the bridge CORS policy can use that credential to call the bridge's arbitrary shell-command endpoints.
Decision evidence
public snapshot- `server.js` exposes unauthenticated `GET /api/status`, which returns the runtime `bridgeToken` and identifies `X-Bridge-Token` as the credential header.
- `server.js` protects `POST /api/shell/execute` and `POST /api/shell/jobs` with that bridge token, then runs the supplied command through the local bridge's shell-job implementation.
- `server.js` permits cross-origin browser access from `https://mindexec.pages.dev`, `https://mindexecution.pages.dev`, and matching subdomains; an allowed origin can read `/api/status` and use the disclosed token to invoke the protected shell routes.
- The npm `postinstall` path in `scripts/setup-tree-sitter-grammars.mjs` only creates `tree-sitter-grammars/` and copies eight named WASM grammar files from local `tree-sitter-wasms` locations; it has no network, subprocess, agent-control-surface, or remote-payload behavior.
- No lifecycle source writes `.mcp.json`, `CLAUDE.md`, `.claude/`, `.codex/`, shell startup files, VCS hooks, services, or other foreign AI-agent control surfaces.
- The inspected native helper logic is package-aligned: `server.js` probes and launches bundled `remote-fast` executables, while `remote-hub.js` requires a pairing token for its TCP/WebSocket agent transport. The version diff adds only rebuilt web assets and does not add or change lifecycle scripts, dependencies, entrypoints, native binaries, or WASM files.
Source & flagged code
12 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgA single source file combines environment access, network access, and code or shell execution with blocking evidence.
server.jsView on unpkg · L18A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
server.jsView on unpkgPackage source references dynamic code evaluation.
wwwroot/assets/MindCanvas-CtCLyOcS.jsView on unpkg · L381Package source references dynamic require/import behavior.
wwwroot/assets/supabaseAuthAdapter-Bzla319B.jsView on unpkg · L43Source launches a detached bundled service that exposes a broad-bound HTTP listener.
scripts/remote-fast-mdm-browser-smoke.mjsView on unpkg · L3Package ships native binary artifacts.
remote-fast/osx-x64/mindexec-remote-fastView on unpkgPackage ships WebAssembly modules.
tree-sitter-grammars/tree-sitter-go.wasmView on unpkgPackage ships non-JavaScript build or shell helper files.
start-bridge.batView on unpkg