AI Security Review
scanned 3h ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. Payment, wallet, CLI, and state-write capabilities are exposed as explicit runtime APIs rather than activated during install or import.
Decision evidence
public snapshot- `dist/index.mjs` provides explicit wallet signing, transfers, and testnet faucet helpers.
- `dist/index.mjs` can invoke an OWS CLI only through exported backup/restore/configuration methods.
- `dist/index.mjs` has a caller-configured JSON state store write path.
- `package.json` contains only `prepublishOnly`; no install-time lifecycle hook exists.
- No import-time network call, transfer, CLI invocation, or filesystem mutation was found.
- Dynamic imports target declared optional wallet/payment dependencies, not remote code.
- No credential harvesting, exfiltration, AI-agent config mutation, persistence, or destructive logic was found.
- The MCP export is a package-owned paid-tool server API, not an agent control-surface installer.
Source & flagged code
3 flagged · loading sourceSource uses private key material to transfer cryptocurrency funds.
dist/index.mjsView on unpkg · L45A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/index.mjsView on unpkg · L45This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/index.jsView on unpkg