AI Security Review
scanned 1d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is an agent extension that persists its own compaction state and exposes an explicitly invoked localhost dashboard.
Decision evidence
public snapshot- `extensions/mega-compact.ts` uses child processes for git lookup and an explicit dashboard command.
- `src/httpEmbedder.ts` and `src/dedup/raptor/summarizer.ts` pass content to optional local model services.
- `package.json` has no preinstall/install/postinstall hook; only prepublishOnly build.
- `src/httpEmbedder.ts` rejects non-loopback embedding URLs.
- `src/dedup/raptor/summarizer.ts` rejects non-loopback Ollama URLs and defaults to local extractive summaries.
- `extensions/mega-compact.ts` starts the dashboard only through the user-invoked `mega-dashboard` command.
- `extensions/dashboard-server.ts` binds only to `127.0.0.1` and serves local state.
- No source evidence of credential harvesting, remote exfiltration, destructive actions, or foreign agent-config mutation.
Source & flagged code
5 flagged · loading sourceThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/extensions/mega-compact.jsView on unpkgPackage source references child process execution.
dist/extensions/mega-compact.jsView on unpkg · L40Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
dist/extensions/mega-compact.jsView on unpkg · L40A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/src/dedup/raptor/summarizer.jsView on unpkg · L13Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
dist/src/dedup/raptor/summarizer.jsView on unpkg · L58