AI Security Review
scanned 3d ago · by lpm-firewall-aiThe package is a self-hosted remote tool client that grants a socket server local file read/write and shell execution capabilities. This is dangerous dual-use functionality, but inspection did not show stealth install-time activation or unconsented persistence.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs bin/tool-server.js or imports dist/tool-server.js
Impact
A configured/compromised orchestration server can read and edit arbitrary local paths and execute shell commands in the configured workspace/process context.
Mechanism
socket-controlled local file operations, Git operations, and bash command execution
Rationale
Source inspection shows high-risk remote agent capabilities, including arbitrary shell and file access, but they are user-invoked and package-aligned rather than stealthy install-time malware. Warn rather than block because no concrete exfiltration, persistence, destructive default behavior, or unconsented AI-agent control-surface mutation was found.
Evidence
package.jsonbin/tool-server.jsdist/tool-server.jsdist/toolExecutionService.jsdist/Services/EditTool.jsdist/Services/ReadFileTool.jsdist/githubOperationsHanlder.js.env/tmp/tool-server-logs.logabsolute paths supplied by remote_read_requestabsolute paths supplied by remote_edit_requestFILE_WORKER_BASE_PATH or process.cwd()
Network endpoints3
localhost:8081api.github.com/installation/repositoriesgithub.com/${gitOrgName}/${repoName}.git
Decision evidence
public snapshotAI called this Suspicious at 90.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- dist/tool-server.js auto-runs main on import/bin and connects to TOOL_SERVER_URL or http://localhost:8081 via socket.io.
- dist/tool-server.js registers remote_edit_request, remote_read_request, and selfhosted_tool_request handlers controlled by the socket server.
- dist/toolExecutionService.js exposes remote bash execution via spawn('bash',['-lc', command]) and background process start/kill helpers.
- dist/Services/EditTool.js writes arbitrary absolute paths supplied in remote edit payloads with no package-root confinement.
- dist/Services/ReadFileTool.js reads arbitrary absolute paths supplied in remote read payloads and returns contents over the socket.
- dist/tool-server.js loads GITHUB_PAT and APIKEY from environment; githubOperationsHanlder.js uses GitHub token in API calls and git remotes.
Evidence against
- package.json has no preinstall/install/postinstall hook; prepare only runs tsc.
- bin/tool-server.js requires explicit CLI invocation or package import to start the socket client.
- Default network endpoint is localhost unless TOOL_SERVER_URL is set by the user/environment.
- No obfuscated payloads, native binaries, dependency-confusion install hook, or AI-agent config writes were found.
- Network and GitHub operations are aligned with the package description as a self-hosted tool-server client.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•Runtime dependency names matching Node built-ins: fs, http, path
High
Node Builtin Dependency Squat
Package declares a runtime dependency whose name matches a Node built-in module.
package.jsonView on unpkgFindings
1 High2 Medium5 Low
HighNode Builtin Dependency Squatpackage.json
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings