AI Security Review
scanned 2d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. Risky primitives are aligned with an extensible browser/website CLI and are install- or user-command scoped.
Decision evidence
public snapshot- package.json has postinstall/preuninstall lifecycle hooks.
- scripts/postinstall.js writes shell completions and ~/.opencli/spotify.env on global install.
- scripts/fetch-adapters.js can remove stale ~/.opencli/clis overrides on global/explicit install.
- dist/src/discovery.js imports user adapters/plugins from ~/.opencli at runtime.
- postinstall is global-install gated, skips CI, and does not edit shell rc files.
- scripts/fetch-adapters.js has no network calls and only manages OpenCLI adapter state.
- dist/src/launcher.js only probes/launches local Electron CDP endpoints with user-invoked commands.
- dist/src/update-check.js only fetches package/release metadata and caches ~/.opencli/update-check.json.
- clis/flomo/memos.js sends a user browser session token only to flomoapp.com for the requested Flomo command.
- No credential harvesting or exfiltration to unrelated hosts found in inspected sources.
Source & flagged code
9 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgPackage source references child process execution.
dist/src/external.jsView on unpkg · L1Package source references a known benign dynamic code generation pattern.
dist/src/browser/article-extract.jsView on unpkg · L1Package source references dynamic require/import behavior.
dist/src/discovery.jsView on unpkg · L1Package source references weak cryptographic algorithms.
clis/flomo/memos.jsView on unpkg · L1Source writes installer persistence such as shell profile or service configuration.
scripts/postinstall.jsView on unpkg · L7Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
dist/src/launcher.jsView on unpkg · L1Package ships non-JavaScript build or shell helper files.
scripts/check-doc-coverage.shView on unpkg