AI Security Review
scanned 12h ago · by lpm-firewall-aiNo confirmed malicious install-time behavior was found. The package is a local AI bridge with powerful user-invoked runtime capabilities and a default RemoteHub TCP listener.
Decision evidence
public snapshot- server.js starts RemoteHub at runtime and remote-hub.js defaults host to 0.0.0.0
- server.js exposes token-protected local APIs for file write/delete, shell execution, Codex runs, and remote task dispatch
- server.js can launch managed remote agents via npx -y @mindexec/remote@latest when requested
- codex-runtime.js creates ~/.mindexec/codex-runtime and copies ~/.codex/auth.json into that isolated runtime
- package.json postinstall only runs scripts/setup-tree-sitter-grammars.mjs to copy packaged tree-sitter WASM files
- launch-bridge.cjs is a user-invoked CLI that starts local server.js and opens localhost app
- server.js binds main HTTP bridge to 127.0.0.1 and protects dangerous routes with X-Bridge-Token
- No install-time writes to foreign AI-agent configs, shell startup files, VCS hooks, or MCP configs found
Source & flagged code
12 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgA single source file combines environment access, network access, and code or shell execution with blocking evidence.
server.jsView on unpkg · L18A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
server.jsView on unpkgPackage source references dynamic code evaluation.
wwwroot/assets/MindCanvas-DmDBHdJk.jsView on unpkg · L817Package source references dynamic require/import behavior.
wwwroot/assets/supabaseAuthAdapter-D57zJK6k.jsView on unpkg · L43Source launches a detached bundled service that exposes a broad-bound HTTP listener.
scripts/remote-fast-mdm-browser-smoke.mjsView on unpkg · L3Package ships native binary artifacts.
remote-fast/osx-x64/mindexec-remote-fastView on unpkgPackage ships WebAssembly modules.
tree-sitter-grammars/tree-sitter-go.wasmView on unpkgPackage ships non-JavaScript build or shell helper files.
start-bridge.batView on unpkg