AI Security Review
scanned 23h ago · by lpm-firewall-aiNo confirmed malicious attack surface. Optional network use is constrained to loopback services, and dashboard process creation is user-command triggered.
Decision evidence
public snapshot- `package.json` has no `preinstall`, `install`, or `postinstall` hook.
- `src/httpEmbedder.ts` rejects non-loopback embedding URLs.
- `src/dedup/raptor/summarizer.ts` rejects non-loopback Ollama URLs and otherwise summarizes locally.
- `extensions/dashboard-server.ts` binds only to `127.0.0.1`.
- `extensions/mega-dashboard-cmds.ts` starts the dashboard only through registered user commands.
- No source call site imports the file-writing test helper in `extensions/error-patterns.ts`.
Source & flagged code
4 flagged · loading sourcePackage source references child process execution.
dist/extensions/mega-dashboard-cmds.jsView on unpkg · L10Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
dist/extensions/mega-dashboard-cmds.jsView on unpkg · L10A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/src/dedup/raptor/summarizer.jsView on unpkg · L13Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
dist/src/dedup/raptor/summarizer.jsView on unpkg · L58