AI Security Review
scanned 1d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established by source inspection. The risky primitives are lifecycle-local setup, user-invoked adapter/plugin loading, browser automation, and package-aligned network/version checks.
Decision evidence
public snapshot- package.json defines postinstall and preuninstall lifecycle hooks.
- scripts/postinstall.js writes shell completion files and ~/.opencli/spotify.env only for global installs.
- scripts/fetch-adapters.js can remove stale ~/.opencli/clis overrides on global/explicit first-run sync.
- dist/src/discovery.js dynamically imports adapters/plugins from package and ~/.opencli at runtime.
- clis/segmentfault/article.js mutates XMLHttpRequest.prototype inside the browser page during a user-invoked publish flow.
- No install-time credential harvesting or outbound exfiltration found in inspected lifecycle scripts.
- scripts/fetch-adapters.js comment and code state no network calls; it hashes packaged clis/ files and updates a local manifest.
- Network calls in clis/segmentfault/article.js target segmentfault.com for the declared SegmentFault adapter and require --execute for write publishing.
- dist/src/external.js parses install commands and rejects shell metacharacters before execFileSync.
- dist/src/update-check.js only performs background version checks to npm registry and GitHub releases with cached local state.
- dist/src/browser/article-extract.js uses new Function to load bundled Mozilla Readability sources for page extraction.
Source & flagged code
12 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgPackage source references child process execution.
dist/src/external.jsView on unpkg · L1Package source references a known benign dynamic code generation pattern.
dist/src/browser/article-extract.jsView on unpkg · L1Package source references dynamic require/import behavior.
dist/src/discovery.jsView on unpkg · L1Package source references weak cryptographic algorithms.
clis/flomo/memos.jsView on unpkg · L1Source writes installer persistence such as shell profile or service configuration.
scripts/postinstall.jsView on unpkg · L7A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/src/browser/managed-chrome.jsView on unpkg · L1Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
dist/src/launcher.jsView on unpkg · L1Source mutates builtin networking, serialization, module-loading, or filesystem APIs while forwarding data to an external endpoint.
clis/segmentfault/article.jsView on unpkg · L1Package ships non-JavaScript build or shell helper files.
scripts/check-doc-coverage.shView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/src/cli.jsView on unpkg