AI Security Review
scanned 1d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The extension persists its own compaction state and offers an explicitly invoked localhost dashboard; optional model requests are loopback-restricted.
Decision evidence
public snapshot- package.json has only prepublishOnly; no install lifecycle hook.
- extensions/mega-dashboard-cmds.ts starts its server only through explicit dashboard commands.
- extensions/dashboard-server.ts binds solely to 127.0.0.1 on ports 9320–9329.
- src/httpEmbedder.ts rejects non-loopback embedding URLs.
- src/dedup/raptor/summarizer.ts permits only localhost/127.0.0.1 Ollama.
- Child processes run package-local dashboard or loopback request workers; no remote payload path found.
Source & flagged code
5 flagged · loading sourcePackage source references child process execution.
dist/extensions/mega-dashboard-cmds.jsView on unpkg · L10Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
dist/extensions/mega-dashboard-cmds.jsView on unpkg · L10A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/src/dedup/raptor/summarizer.jsView on unpkg · L13Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
dist/src/dedup/raptor/summarizer.jsView on unpkg · L58This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/extensions/mega-compact.test.jsView on unpkg