AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No install-time malicious behavior was found. The main risk is a first-party AI-agent extension setup performed by the explicit privateer CLI launcher, plus authenticated remote relay features aligned with the package purpose.
Static reason
No blocking static signals were detected.
Trigger
User runs the privateer CLI or enables remote access inside the agent
Impact
Agent config/extensions are modified for Privateer operation; remote relay may transmit bounded prompts, tool events, approvals, and user-selected files when enabled.
Mechanism
first-party agent extension shims and authenticated relay client
Rationale
Static inspection shows no unconsented install-time mutation, credential harvesting, destructive behavior, or remote payload execution. Because the CLI explicitly writes first-party extension shims into its agent control surface, this fits lifecycle-risk warning rather than a publish block.
Evidence
package.jsonbin/privateer-tuibin/privateer.mjssrc/auth/privateer.tssrc/remote/relayClient.tssrc/tools/sendFile.tssrc/tools/saveAttachment.tssrc/tools/routine.ts${PRIVATEER_HOME:-$HOME/.privateer}/agent/extensions/*.ts${PRIVATEER_HOME:-$HOME/.privateer}/agent/settings.json${PRIVATEER_HOME:-$HOME/.privateer}/credentials.json
Network endpoints7
helix-server-m1ac.onrender.com/auth/device/code/auth/device/token/auth/session/spawn/auth/refresh/relay/ticket/relay?ticket=...
Decision evidence
public snapshotAI called this Suspicious at 84.0% confidence as Benign with medium false-positive risk.
Evidence for warning
- bin/privateer-tui writes extension shim files under PRIVATEER_HOME/.privateer agent dir on explicit CLI launch
- bin/privateer-tui updates agent settings.json quietStartup on explicit CLI launch
- src/remote/relayClient.ts can relay prompts/events/files over WebSocket when remote access is enabled
Evidence against
- package.json has no preinstall/install/postinstall lifecycle scripts
- bin entry is user-invoked CLI, not install-time execution
- src/auth/privateer.ts validates server URL as https or loopback before sending tokens
- src/remote/relayClient.ts redacts/truncates relay events and requires authenticated ticket
- File send/save/routine tools are described as permission-gated user/agent actions
Behavioral surface
CryptoDynamicRequireEnvironmentVarsFilesystemNetworkWebSocket
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcebin/privateer.mjsView file
21register(); // resolves the repo's tsx regardless of the invocation cwd
L22: await import(resolve(repo, "src/cli/chat.ts"));
Medium
Dynamic Require
Package source references dynamic require/import behavior.
bin/privateer.mjsView on unpkg · L21Findings
3 Medium4 Low
MediumDynamic Requirebin/privateer.mjs
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings