AI Security Review
scanned 15d ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. The package is a local-first AI/IDE bridge CLI with expected subprocess, local file, connector, and optional telemetry capabilities gated by user commands or configuration.
Decision evidence
public snapshot- package.json defines postinstall/prepare/prepublishOnly lifecycle scripts
- scripts/postinstall.mjs chmods dist/index.js and links @vscode/ripgrep into node_modules/.bin
- dist/index.js is a CLI with user-invoked writes to CLAUDE.md and .claude/rules/bridge-tools.md
- dist/pluginLoader.js can dynamically import explicitly configured plugins
- scripts/postinstall.mjs only performs local binary setup; no network unless an unpacked dashboard directory is present and missing node_modules
- dist/index.js network calls are documented CLI features: Open VSX extension download, localhost bridge health, connectors, telemetry
- dist/pluginLoader.js requires explicit plugin specs and validates manifest, entrypoint containment, prefixes, and collisions
- dist/connectors/confluence.js blocks caller-controlled non-Atlassian URLs, including metadata endpoint SSRF
- dist/connectors/tokenStorage.js stores user connector tokens locally via keychain/DPAPI/encrypted file, not exfiltration
- dist/analyticsPrefs.js defaults telemetry preferences to false; analyticsSend.js only sends usage summaries when enabled
Source & flagged code
13 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgPackage contains a possible secret pattern.
dist/commands/patchworkInit.jsView on unpkg · L75Package source references child process execution.
dist/installGuard.jsView on unpkg · L1Package source references dynamic require/import behavior.
dist/pluginLoader.jsView on unpkg · L143Package source references weak cryptographic algorithms.
dist/connectors/vercel.jsView on unpkg · L20Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
dist/index.jsView on unpkg · L3073Source writes installer persistence such as shell profile or service configuration.
dist/index.jsView on unpkg · L20A single source file combines environment access, network access, and code or shell execution; review context before blocking.
scripts/start-all.mjsView on unpkg · L480Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
dist/tools/clipboard.jsView on unpkg · L1Source reaches cloud instance metadata or link-local credential endpoints.
dist/connectors/confluence.jsView on unpkg · L18Package ships non-JavaScript build or shell helper files.
scripts/start-remote.shView on unpkg