AI Security Review
scanned 8d ago · by lpm-firewall-aiNo confirmed malicious attack surface; the high-risk primitives are the advertised function of a remote dev-environment host. Remote access is activated by running the CLI and pairing/approving a client, not by install-time execution.
Decision evidence
public snapshot- dist/main.js exposes user-invoked remote terminal, filesystem, proxy, ports, and AI agent controls after pairing/approval.
- dist/main.js registers an additive Claude Code notification hook at runtime under the user's Claude settings when AgentsManager starts.
- dist/main.js can self-update in daemon mode via npm/npx when a connected approved client requests HOST_UPDATE.
- package.json has no install/preinstall/postinstall lifecycle hooks.
- readme.md clearly describes remote terminal, filesystem, proxy, agent, QR pairing, and default unknown-client approval behavior.
- dist/main.js uses default relay wss://api.shellular.dev and out-of-band QR key exchange with libsodium encryption.
- dist/main.js filesystem operations are scoped through safePath(rootDir, requestedPath) and reject traversal outside --dir.
- No confirmed eval/Function/remote asset decode-and-execute pattern found in inspected source.
Source & flagged code
5 flagged · loading sourceSource fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.
dist/main.jsView on unpkg · L26A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/main.jsView on unpkg