AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Decision evidence
public snapshot- cli/dist/specrails-desktop.js user-invoked fallback spawns `claude` with `--dangerously-skip-permissions`.
- server/dist/providers/claude-adapter.js uses `--dangerously-skip-permissions` for Claude agent spawns.
- server/dist/claude-trust.js best-effort writes `~/.claude.json` trust flags before Claude spawns.
- server/dist/plugins/serena/install.js can add Serena MCP to project `.mcp.json` or per-project Codex `CODEX_HOME` on plugin install.
- server/dist/plugins/prereq-installer.js can run official uv installers from `https://astral.sh/uv/install.sh` or `.ps1` when requested.
- package.json has no preinstall/install/postinstall lifecycle hooks.
- Network use is loopback manager traffic or documented setup/update endpoints, not hidden exfiltration.
- server/dist/auth.js binds sensitive API expectations to loopback auth, host validation, and bearer token checks.
- Plugin and agent config mutations are explicit app/plugin actions with rollback/ownership tracking, not install-time mutation.
- Serena MCP registration is first-party app plugin setup scoped to project `.mcp.json` or per-project Codex home.
- No credential harvesting or remote payload execution found in inspected entrypoints/hot files.
Source & flagged code
6 flagged · loading sourcePackage source references dynamic require/import behavior.
server/dist/worktree-overlay.jsView on unpkg · L44Source writes installer persistence such as shell profile or service configuration.
server/dist/terminal-shell-integration.jsView on unpkg · L23Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
server/dist/plugins/prereq-installer.jsView on unpkg · L3Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
client/dist/assets/html.worker-CQP8QQsS.jsView on unpkg · L29Package contains source files above the static scanner size ceiling.
client/dist/assets/editor.api2-C3B0tp2x.jsView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
server/dist/headroom-manager.jsView on unpkg