AI Security Review
scanned 7d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package has install-time setup that stages its dashboard and optionally writes MCP/shortcut/autostart config, but the behavior is disclosed and package-aligned.
Decision evidence
public snapshot- package.json postinstall is gated to global/self installs and skips CI/transitive installs
- scripts/postinstall.cjs stages a bundled dashboard binary and invokes documented setup commands; failures exit 0
- dist/src/cli/install-mcp.js writes Claude/Codex MCP config entries with backups for the package's MCP server
- dist/src/cli/shortcut.js and autostart.js are Windows-only user integration helpers, not hidden persistence outside stated dashboard startup
- No credential harvesting, exfiltration endpoint, obfuscated payload, or destructive behavior found in inspected source
Source & flagged code
4 flagged · loading sourceInstall-time lifecycle script matches a deterministic static-gate block pattern.
package.jsonView on unpkgPackage defines install-time lifecycle scripts.
package.jsonView on unpkgSource gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
scripts/build-dashboard-tauri.cjsView on unpkg · L31