AI Security Review
scanned 5m ago · by lpm-firewall-aiNo confirmed malicious attack surface. Optional dashboard process management is user-command triggered and loopback-only; optional local-model requests are restricted to localhost.
Decision evidence
public snapshot- package.json postinstall only rebuilds @mongodb-js/zstd.
- extensions/mega-dashboard-cmds.ts starts/stops dashboard only through explicit slash commands.
- extensions/dashboard-server.ts binds only 127.0.0.1 on ports 9320–9329.
- src/httpEmbedder.ts rejects non-loopback embedding URLs.
- src/dedup/raptor/summarizer.ts rejects non-loopback Ollama URLs.
- State writes target pi-mega-compact’s own state directory.
Source & flagged code
7 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgPackage source references child process execution.
dist/extensions/mega-dashboard-cmds.jsView on unpkg · L10Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
dist/extensions/mega-dashboard-cmds.jsView on unpkg · L10Package source references dynamic require/import behavior.
dist/extensions/mega-dashboard-cmds.jsView on unpkg · L80A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/src/dedup/raptor/summarizer.jsView on unpkg · L13Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
dist/src/dedup/raptor/summarizer.jsView on unpkg · L58