AI Security Review
scanned 22h ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. The package registers a first-party compaction extension, persists its own state, and optionally starts a loopback dashboard after an explicit command.
Decision evidence
public snapshot- Optional `mega-dashboard` explicitly spawns a detached local dashboard process.
- Local-model paths pass conversation text to loopback-only configured services.
- `package.json` has only `prepublishOnly`; no install/preinstall/postinstall hook.
- `src/httpEmbedder.ts` rejects non-loopback embedding URLs.
- `src/dedup/raptor/summarizer.ts` rejects non-loopback Ollama URLs.
- `extensions/mega-dashboard-cmds.ts` starts only from registered user commands.
- No source evidence of credential harvesting, remote exfiltration, or foreign agent-config mutation.
Source & flagged code
5 flagged · loading sourcePackage source references child process execution.
dist/extensions/mega-dashboard-cmds.jsView on unpkg · L10Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
dist/extensions/mega-dashboard-cmds.jsView on unpkg · L10A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/src/dedup/raptor/summarizer.jsView on unpkg · L13Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
dist/src/dedup/raptor/summarizer.jsView on unpkg · L58This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/src/store/sqlite.jsView on unpkg