AI Security Review
scanned 4h ago · by lpm-firewall-aiInstall-time code downloads and extracts a platform-specific PHP runtime, then later runs it for user-invoked projects. The archive is accepted without cryptographic integrity verification, leaving a remote-code supply-chain risk if the source is compromised.
Decision evidence
public snapshot- package.json defines postinstall.
- scripts/postinstall.js calls fetchPhp during install.
- scripts/fetch-php.js downloads a platform PHP archive without a checksum/signature.
- runtime/main.js later executes the downloaded PHP binary.
- runtime/main.js exposes privileged Electron actions to the launched project via tokenized localhost control API.
- No credential, environment, or file harvesting was found.
- No exfiltration endpoint or outbound upload behavior was found.
- The download target is a PHP runtime matching the package's stated desktop-PHP purpose.
- The control and UI servers bind only to 127.0.0.1 and use random tokens.
- No AI-agent configuration, hooks, or foreign control-surface writes were found.
- CLI update/install behavior is explicit-user-command only.
Source & flagged code
9 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgPackage source references dynamic require/import behavior.
bin/php-app.jsView on unpkg · L2This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
runtime/main.jsView on unpkgA single source file combines environment access, network access, and code or shell execution; review context before blocking.
runtime/main.jsView on unpkg · L202Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
runtime/main.jsView on unpkg · L203Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
scripts/fetch-php.jsView on unpkg · L4Package ships non-JavaScript build or shell helper files.
bin/fetch-php.shView on unpkg