AI Security Review
scanned 2h ago · by lpm-firewall-aiWhen the CLI is invoked, a server chosen by the caller can issue arbitrary shell commands, start detached processes, and read or edit local paths. The client also weakens Git's global safe-directory protection.
Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `tool-server` with a server URL and workspace arguments.
Impact
A connected orchestration server can execute code, access local files, alter files, and persist child processes on the invoking host.
Mechanism
Remote Socket.IO command-and-file-control client using `bash -lc`.
Rationale
Source inspection confirms dangerous remote code execution and local file-control capability, but activation requires explicit CLI use and a user-supplied server endpoint. Treat as a warning for dangerous dual-use functionality rather than a publish block.
Evidence
package.jsonbin/tool-server.jsdist/tool-server.jsdist/toolExecutionService.jsdist/Services/EditTool.jsdist/Services/ReadFileTool.js~/.gitconfig
Decision evidence
public snapshotAI called this Suspicious at 96.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `dist/tool-server.js` accepts Socket.IO requests from a runtime-supplied server URL.
- `dist/toolExecutionService.js` passes remote command input to `bash -lc` without an allowlist.
- `dist/tool-server.js` forwards remote absolute-path read requests and returns contents over the socket.
- `dist/Services/EditTool.js` applies remote edit requests to supplied file paths.
- `dist/tool-server.js` automatically runs global `git safe.directory '*'`, with a `sudo` fallback.
Evidence against
- `package.json` has no `preinstall`, `install`, or `postinstall`; `prepare` only runs `tsc`.
- The remote-control behavior is activated only when the user invokes the CLI with arguments.
- No hard-coded exfiltration host, encoded payload, or hidden import-time network call was found.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•Runtime dependency names matching Node built-ins: fs, http, path
High
Node Builtin Dependency Squat
Package declares a runtime dependency whose name matches a Node built-in module.
package.jsonView on unpkgdist/githubOperationsHanlder.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = phantomx-tool-client@1.0.0
matchedIdentity = npm:cGhhbnRvbXgtdG9vbC1jbGllbnQ:1.0.0
similarity = 0.571
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/githubOperationsHanlder.jsView on unpkgFindings
2 High2 Medium5 Low
HighNode Builtin Dependency Squatpackage.json
HighPrevious Version Dangerous Deltadist/githubOperationsHanlder.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings