AI Security Review
scanned 4d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The risky primitives are expected for a user-invoked AI coding-agent CLI and are not triggered during npm install/import.
Decision evidence
public snapshot- Agent CLI exposes user-invoked shell/MCP/plugin/network capabilities.
- src/runtime/memory/lib/runtime-fetcher.mjs downloads native runtime assets from GitHub with sha256 verification.
- src/runtime/channels/lib/whisper-server.mjs spawns a local whisper-server child and posts audio only to 127.0.0.1 fixed port.
- package.json has no install/postinstall/prepare lifecycle hook; bin is user-invoked src/cli.mjs.
- src/app.mjs only dispatches CLI/TUI/headless modes; no import-time payload or foreign agent config writes.
- Plugin installs in mixdog-owned data/plugins paths and validates removal stays under registry root.
- MCP config reads project .mcp.json and user mixdog config; no lifecycle creation of foreign .mcp.json/CLAUDE/Codex/Cursor surfaces found.
- OAuth credential code stores/refreshes provider tokens in mixdog-owned credential files and scrubs token errors; no exfil endpoint found.
- Trojan-source hint in src/runtime/channels/lib/format.mjs is caused by visible emoji/zero-width fence escaping in formatter logic, not hidden control-flow code.
Source & flagged code
12 flagged · loading sourcePackage contains a possible secret pattern.
scripts/compact-smoke.mjsView on unpkg · L388Package source references child process execution.
scripts/smoke-loop.mjsView on unpkg · L2Package source references dynamic require/import behavior.
scripts/ingest-pure-conversation-smoke.mjsView on unpkg · L12Package source references weak cryptographic algorithms.
src/standalone/plugin-admin.mjsView on unpkg · L1Source writes installer persistence such as shell profile or service configuration.
src/runtime/agent/orchestrator/tools/shell-snapshot.mjsView on unpkg · L13A single source file combines environment access, network access, and code or shell execution; review context before blocking.
src/runtime/channels/lib/whisper-server.mjsView on unpkg · L35Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
src/runtime/memory/lib/runtime-fetcher.mjsView on unpkg · L1Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
src/runtime/channels/lib/format.mjsView on unpkg · L129Package ships non-JavaScript build or shell helper files.
scripts/build-runtime-linux.shView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
src/standalone/channel-worker.mjsView on unpkgHardcoded password in scripts/session-ingest-smoke.mjs
scripts/session-ingest-smoke.mjsView on unpkg · L59