AI Security Review
scanned 10d ago · by lpm-firewall-aiThis is a remote development host CLI with broad, advertised dual-use access after pairing. The main unresolved risk is silent runtime mutation of Claude hook settings for status notifications, plus powerful remote terminal/filesystem/agent features.
Decision evidence
public snapshot- dist/main.js registers with default relay wss://api.shellular.dev and exposes terminal, filesystem, proxy, ports, and AI-agent controls to approved clients.
- dist/main.js writes ~/.claude/settings.json hooks and ~/.shellular/hooks/shellular-notify.mjs at runtime to observe Claude/Codex session events.
- dist/main.js can spawn PTYs, agent CLIs, pm2 daemons, self-update commands, and kill processes by port after client messages.
- package.json has no install/preinstall/postinstall lifecycle hooks; main/bin are user-invoked CLI entrypoints.
- readme.md clearly describes remote terminal, filesystem, proxy, ports, agents, E2EE, QR pairing, and client approval behavior.
- dist/main.js restricts filesystem operations to the configured --dir root and requires client approval by default for unknown clients.
- No confirmed fetch-decode-eval chain or dynamic remote payload execution was found; scanner likely matched git show/base64/update logic and normal CLI spawning.
Source & flagged code
5 flagged · loading sourceSource fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.
dist/main.jsView on unpkg · L26A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/main.jsView on unpkg