AI Security Review
scanned 1d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package performs local context compaction and optional local dashboard/embedding interactions.
Decision evidence
public snapshot- `extensions/mega-compact.ts` can spawn a detached dashboard only through the explicit `mega-dashboard` command.
- `src/httpEmbedder.ts` uses a child Node worker for embedding requests when a user configures an endpoint.
- `package.json` has only `prepublishOnly`; there is no preinstall/install/postinstall hook.
- `src/httpEmbedder.ts` rejects every embedding URL except `localhost` or `127.0.0.1`.
- `src/dedup/raptor/summarizer.ts` similarly enforces loopback-only Ollama URLs and otherwise uses local extractive summaries.
- `extensions/dashboard-server.ts` binds its HTTP server to `127.0.0.1`; it only serves local dashboard state.
- No remote payload loader, credential harvesting, foreign agent-config write, eval/vm use, or destructive filesystem behavior was found in reviewed runtime entries.
Source & flagged code
5 flagged · loading sourceThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/extensions/mega-compact.jsView on unpkgPackage source references child process execution.
dist/extensions/mega-compact.jsView on unpkg · L40Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
dist/extensions/mega-compact.jsView on unpkg · L40A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/src/dedup/raptor/summarizer.jsView on unpkg · L13Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
dist/src/dedup/raptor/summarizer.jsView on unpkg · L58