AI Security Review
scanned 2h ago · by lpm-firewall-aiA user-invoked or imported client connects to a runtime-selected Socket.IO server. That server can request arbitrary shell commands, file reads, and edits; command output and file contents are returned to it.
Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Running `tool-server` or importing `dist/tool-server.js` with a server URL argument.
Impact
A controlling server can execute commands on the host and exfiltrate readable file contents, including command output.
Mechanism
Remote Socket.IO-controlled shell execution and unrestricted absolute-path file operations.
Rationale
The package exposes a high-risk remote command-and-file-control channel controlled by a runtime-selected server. It is not proven malicious because it lacks install-time execution, a fixed attacker endpoint, or concealment, but warrants a warning as dangerous capability.
Evidence
package.jsonbin/tool-server.jsdist/tool-server.jsdist/toolExecutionService.jsdist/Services/EditTool.jsdist/Services/ReadFileTool.jsdist/githubOperationsHanlder.js
Network endpoints1
api.github.com
Decision evidence
public snapshotAI called this Suspicious at 96.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- `dist/tool-server.js` accepts Socket.IO requests from a runtime-supplied `SERVER_URL`.
- `dist/toolExecutionService.js` runs remote command strings with `bash -lc` on the host.
- Remote `Execute_commmand_host_machine` and background-process tools provide arbitrary host execution.
- `remote_read_request` reads caller-supplied absolute paths and returns contents over the socket.
- `remote_edit_request` applies socket-supplied edits to absolute file paths.
- `dist/githubOperationsHanlder.js` uses the supplied GitHub PAT for GitHub API and git operations.
Evidence against
- `package.json` only defines `prepare`; no preinstall/install/postinstall hook exists.
- No hard-coded non-GitHub network endpoint, stealth payload download, or obfuscated payload was found.
- The manifest describes a self-hosted remote tool client, aligning with the exposed capability.
- GitHub traffic targets the package-aligned `https://api.github.com` endpoint.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•Runtime dependency names matching Node built-ins: fs, http, path
High
Node Builtin Dependency Squat
Package declares a runtime dependency whose name matches a Node built-in module.
package.jsonView on unpkgdist/githubOperationsHanlder.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = phantomx-tool-client@1.0.7
matchedIdentity = npm:cGhhbnRvbXgtdG9vbC1jbGllbnQ:1.0.7
similarity = 0.857
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/githubOperationsHanlder.jsView on unpkgFindings
2 High2 Medium5 Low
HighNode Builtin Dependency Squatpackage.json
HighPrevious Version Dangerous Deltadist/githubOperationsHanlder.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings