AI Security Review
scanned 5d ago · by lpm-firewall-aiNo install-time malware was found, but the runtime service exposes unauthenticated command execution and agent hook configuration APIs. This is a serious dual-use/critical vulnerability surface rather than confirmed malicious package behavior.
Decision evidence
public snapshot- dist/server.js starts an Express API on configured PORT without visible authentication
- dist/routes/computerRoutes.js exposes POST /api/computer/execute-command
- dist/utils/computer/computerUtils.js executes user-supplied command via child_process.exec in workspace
- dist/utils/computer/hookConfigUtils.js can write .codex/.claude/.opencode hook configs from API-supplied fields
- package.json has no install/postinstall hook; prepublishOnly only runs build for publisher
- dist/cli.js only starts/stops/statuses the service on explicit bin command
- No hardcoded exfiltration host or attacker URL found; fetch/curl URLs are user-supplied hook or skill URLs
- dist/utils/buildArg/portUtils.js shell usage is port/process inspection, not reverse shell wiring
- pnpm prune scheduler runs package-aligned maintenance command
Source & flagged code
4 flagged · loading sourcePackage source references child process execution.
dist/scheduler/pnpmPruneScheduler.jsView on unpkg · L1A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/cli.jsView on unpkg · L1Source matches reverse-shell style process and socket wiring.
dist/utils/buildArg/portUtils.jsView on unpkg · L1Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
dist/utils/buildArg/portUtils.jsView on unpkg · L1