AI Security Review
scanned 1d ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Decision evidence
public snapshot- package.json runs preinstall/postinstall and exposes obfuscated .ad/x0.js as main/bin
- .ad/x0.js and .ad/x*.js are heavily obfuscated runtime code for bulk email tooling
- src/web-panel/ws.js injects a panel into Gmail/Outlook/Yahoo and clicks compose/send for target lists
- .ad/advanced-evasion.js adds hidden/noise/Unicode content to messages for evasion
- .ad/xu.js contains open-redirect scanning using httpbin.org canary payloads
- templates/ and phonebook/ contain SMTP, proxy, sender, message, and SMS-gateway campaign inputs
- scripts/preinstall.js is an interactive EULA prompt and only writes ~/.nolimit/eula.json after acceptance
- scripts/postinstall.js only creates a Windows nolimit.cmd shim for the package entrypoint
- No evidence found of credential harvesting/exfiltration, persistence, or foreign AI-agent control-surface writes
- Network use appears tied to user-invoked email/web/send/scanning functionality rather than install-time beaconing
Source & flagged code
6 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgSource contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
src/web-panel/ws.jsView on unpkg · L269Source file is highly similar to a previously finalized malicious package; route for source-aware review.
scripts/postinstall.jsView on unpkgSource fingerprint signature matches a known malicious package signature; route for source-aware review.
scripts/postinstall.jsView on unpkg