AI Security Review
scanned 3h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Decision evidence
public snapshot- server/cliSetup.mjs can install/run Claude Code, Codex, and Antigravity after /api/cli/setup user request.
- server/providers.mjs runs CLI agents against the user's workspace, including agy with --dangerously-skip-permissions, then snapshots/restores changes for review.
- server/localSetup.mjs can install Ollama via winget and pull local models after /api/local-ai/setup user request.
- server/providers.mjs sends prompts/images to configured AI providers using saved API keys.
- package.json has no preinstall/install/postinstall hook; only prepublishOnly build script.
- bin/relay-studio.mjs only starts local server and opens http://127.0.0.1 UI when user runs the bin.
- CLI/local setup routes in server/routes.mjs are explicit API actions, not install-time or import-time mutations.
- server/crypto.mjs stores provider keys encrypted under RELAY_HOME data; telemetry code says/counts-only and gates on consent/sign-in.
- server/commands.mjs uses an allowlist and blocks shell metacharacters/destructive commands for agent-requested shell execution.
- relay.app.json Supabase anon key is public client config, not a service-role secret.
Source & flagged code
9 flagged · loading sourceSource appears to send environment or credential material to an external endpoint.
server/providers.mjsView on unpkg · L4A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
server/providers.mjsView on unpkg · L4Package source references weak cryptographic algorithms.
server/providers.mjsView on unpkg · L4This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
electron/main.cjsView on unpkgManifest entrypoint contains risky behavior absent from dist/build output.
electron/main.cjsView on unpkg · L5Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
server/localSetup.mjsView on unpkg · L4