AI Security Review
scanned 8d ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. The package is a high-capability remote development host, but the observed capabilities match its documented CLI purpose and are gated by pairing/encryption and client approval.
Decision evidence
public snapshot- dist/main.js exposes user-invoked remote terminal, filesystem, proxy, ports, sysmon, and AI-agent controls after connection.
- dist/main.js can write ~/.shellular files, image attachments, and additive Claude hooks in ~/.claude/settings.json during CLI runtime.
- dist/main.js includes self-update and daemon management using npm/npx/pm2 when requested by a connected approved client.
- package.json has no install/preinstall/postinstall lifecycle scripts; main/bin are dist/main.js only.
- readme.md describes the exact purpose: host a dev environment for remote access from a phone via Shellular relay.
- Default server is wss://api.shellular.dev and registration/update endpoints are package-aligned; no unrelated exfiltration host found.
- Scanner remote decode/execute appears noisy: base64 handling is for images/binary protocol data, with no eval/new Function/vm execution found.
- Unknown clients default to requires-approval; foreground prompts and daemon rejects pending clients until approved.
- Child processes are package-aligned: PTY shells, git/system probes, AI adapters, pm2 daemon, and self-update commands.
Source & flagged code
5 flagged · loading sourceSource fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.
dist/main.jsView on unpkg · L26A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/main.jsView on unpkg