AI Security Review
scanned 3h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious install-time behavior was found. The package has real user-invoked risk: explicit Claude setup mutates a first-party agent control surface, and legacy sync routes can store PATs in git remotes plus use shell:true around git/gh arguments.
Decision evidence
public snapshot- dist/server/install-skill.js explicitly writes ~/.claude.json and copies OpenWriter skills/agents when user runs setup.
- dist/server/git-sync.js uses execFile(...,{shell:true}) and weak quoting for git/gh args from /api/sync/setup.
- dist/server/git-sync.js embeds GitHub PATs in remote URLs for setupWithPat/connectExisting, writing them into .git/config.
- dist/server/plugin-install.js runs npm install/uninstall for user-supplied plugin names, though names are regex-limited.
- package.json has no preinstall/install/postinstall lifecycle hook; only prepublishOnly.
- dist/bin/pad.js activates server/setup/plugin paths only when the user invokes the CLI.
- dist/plugins/github/dist/git-sync.js uses safer execFile argv arrays and PAT env credential helper.
- Packaged skill/agents are first-party OpenWriter workflow files with restricted OpenWriter MCP tools, not hidden exfiltration instructions.
- Network endpoints are product-aligned: GitHub, OpenWriter publish, Author's Voice, X API, localhost.
Source & flagged code
6 flagged · loading sourcePackage source references child process execution.
dist/plugins/github/dist/blog-tools.jsView on unpkg · L6Package source references shell execution.
dist/plugins/github/dist/blog-tools.jsView on unpkg · L17Package source references dynamic require/import behavior.
dist/plugins/x-api/dist/server-bridge.jsView on unpkg · L16Package source invokes a package manager install command at runtime.
dist/server/plugin-install.jsView on unpkg · L34Package ships high-entropy non-source blobs.
dist/client/assets/source-serif-4-latin-wght-italic-D2yaqPoE.woff2View on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/plugins/github/dist/git-sync.jsView on unpkg