AI Security Review
scanned 4d ago · by lpm-firewall-aiNo confirmed malicious install-time or import-time attack surface. Risky capabilities are package-aligned for a user-invoked coding-agent CLI.
Decision evidence
public snapshot- User-invoked agent CLI includes shell/process tools and provider/network integrations under src/runtime/agent/orchestrator.
- Runtime fetchers download native assets from GitHub/raw GitHub and execute tar/managed binaries after SHA-256 checks.
- src/runtime/channels/lib/format.mjs contains zero-width characters only inside code-fence escaping strings.
- package.json has no install/preinstall/postinstall lifecycle hook; only bin mixdog -> src/cli.mjs.
- src/cli.mjs only dispatches help/plain/headless/TUI paths when user runs the CLI.
- No package files named .mcp.json, CLAUDE.md, AGENTS.md, or plugin manifests were present at package root/depth scan.
- Project .mcp.json handling in src/session-runtime/plugin-mcp.mjs reads user/project config and strips self-ref servers; it does not plant MCP config.
- Native runtime download paths use bundled manifests first, SHA-256 verification, tar path validation, and package-owned data dirs.
- Scanner secret hits in scripts/compact-smoke.mjs are test fixtures asserting redaction, not embedded credentials.
Source & flagged code
11 flagged · loading sourcePackage contains a possible secret pattern.
scripts/compact-smoke.mjsView on unpkg · L388Package source references child process execution.
scripts/smoke-loop.mjsView on unpkg · L2Package source references dynamic require/import behavior.
scripts/ingest-pure-conversation-smoke.mjsView on unpkg · L12Package source references weak cryptographic algorithms.
src/standalone/plugin-admin.mjsView on unpkg · L1Source writes installer persistence such as shell profile or service configuration.
src/runtime/agent/orchestrator/tools/shell-snapshot.mjsView on unpkg · L13A single source file combines environment access, network access, and code or shell execution; review context before blocking.
src/runtime/channels/lib/whisper-server.mjsView on unpkg · L35Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
src/runtime/memory/lib/runtime-fetcher.mjsView on unpkg · L1Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
src/runtime/channels/lib/format.mjsView on unpkg · L129Package ships non-JavaScript build or shell helper files.
scripts/build-runtime-linux.shView on unpkgHardcoded password in scripts/session-ingest-smoke.mjs
scripts/session-ingest-smoke.mjsView on unpkg · L59