AI Security Review
scanned 2h ago · by lpm-firewall-aiAt runtime, authenticated pipeline execution can let LLM output invoke configured MCP tools or issue an arbitrary command to a configured sandbox executor. This is an intentional agent-orchestration capability, not install-time behavior.
Static reason
No blocking static signals were detected.
Trigger
User starts the server and runs a pipeline with configured agents, sandbox, or MCP servers.
Impact
Configured sandbox commands and MCP tools can access whatever permissions their external services or child processes receive.
Mechanism
LLM-directed sandbox command execution and configured MCP subprocess launching.
Rationale
The package contains a concrete, powerful LLM-directed command-execution path and MCP subprocess launcher, creating dangerous dual-use risk. Direct inspection found no malicious install hook, credential exfiltration, or unauthorized AI-agent control-surface mutation.
Evidence
package.jsonsrc/server/index.tssrc/server/agents/agentRunner.tssrc/server/mcp/index.tssrc/server/db/index.tssrc/lib/agentfile.ts
Network endpoints6
api.openai.com/v1api.anthropic.com/v1generativelanguage.googleapis.com/v1betaapi.cerebras.ai/v1api.groq.com/openai/v1openrouter.ai/api/v1
Decision evidence
public snapshotAI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `src/server/agents/agentRunner.ts` sends model-selected `bash`/`shell` commands to a configured sandbox `/exec` endpoint.
- `src/server/mcp/index.ts` spawns configured MCP server commands with inherited environment variables.
- `src/server/agents/agentRunner.ts` sends prompts to configured LLM provider APIs using environment API keys.
Evidence against
- `package.json` has only `prepare`, which runs Svelte synchronization and no install-time payload.
- MCP default server configuration is empty; source does not auto-start a bundled external command.
- No source evidence of credential harvesting, hidden file collection, remote payload download, or foreign AI-agent config mutation.
- Provider network calls are aligned with the declared self-hosted AI orchestration purpose.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcesrc/lib/memory.tsView file
457*/
L458: import(agentId: string, data: { memories?: MemoryBlock[]; trajectories?: Trajectory[] }): void {
L459: if (data.memories) {
Medium
Dynamic Require
Package source references dynamic require/import behavior.
src/lib/memory.tsView on unpkg · L457scripts/test-quay.shView file
•path = scripts/test-quay.sh
kind = build_helper
sizeBytes = 27475
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
scripts/test-quay.shView on unpkgFindings
5 Medium5 Low
MediumDynamic Requiresrc/lib/memory.ts
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperscripts/test-quay.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings