AI Security Review
scanned 4d ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious install-time attack surface was found. Residual risk is a user-invoked coding-agent CLI with shell/MCP/plugin capability and default-on runtime self-update.
Decision evidence
public snapshot- src/mixdog-session-runtime.mjs performs default-on runtime self-update check and can run npm install -g mixdog@latest after user launches CLI.
- src/runtime/shared/update-checker.mjs fetches https://registry.npmjs.org/mixdog/latest and spawns npm install -g mixdog@latest.
- src/session-runtime/plugin-mcp.mjs reads project .mcp.json and registers configured MCP servers inside mixdog runtime.
- src/standalone/plugin-admin.mjs can clone Git plugin sources into mixdog's plugin registry when user invokes plugin install/update.
- src/runtime/agent/orchestrator/tools/*fetcher.mjs download native binaries from GitHub release manifests and verify sha256.
- package.json has no preinstall/install/postinstall lifecycle hooks.
- bin entrypoint src/cli.mjs only imports src/app.mjs after explicit mixdog execution.
- No inspected code writes CLAUDE.md, .claude, Codex/Cursor settings, shell startup files, VCS hooks, or foreign agent control surfaces during install.
- Native binary/runtime fetchers validate sha256 before caching or extraction.
- Scanner secret hits in scripts/compact-smoke.mjs are test fixtures asserting redaction, not credential harvesting.
- Network endpoints observed are package-aligned registry/GitHub/provider functionality for an agent CLI.
Source & flagged code
11 flagged · loading sourcePackage contains a possible secret pattern.
scripts/compact-smoke.mjsView on unpkg · L388Package source references child process execution.
scripts/smoke-loop.mjsView on unpkg · L2Package source references dynamic require/import behavior.
scripts/ingest-pure-conversation-smoke.mjsView on unpkg · L12Package source references weak cryptographic algorithms.
src/standalone/plugin-admin.mjsView on unpkg · L1Source writes installer persistence such as shell profile or service configuration.
src/runtime/agent/orchestrator/tools/shell-snapshot.mjsView on unpkg · L13A single source file combines environment access, network access, and code or shell execution; review context before blocking.
src/runtime/channels/lib/whisper-server.mjsView on unpkg · L35Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
src/runtime/memory/lib/runtime-fetcher.mjsView on unpkg · L1Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
src/runtime/channels/lib/format.mjsView on unpkg · L129Package ships non-JavaScript build or shell helper files.
scripts/build-runtime-linux.shView on unpkgHardcoded password in scripts/session-ingest-smoke.mjs
scripts/session-ingest-smoke.mjsView on unpkg · L59