AI Security Review
scanned 3h ago · by lpm-firewall-aiThe Node task runtime can fetch task-script source from the caller-configured Supabase project, write it to a temporary module, dynamically import it, and invoke its exported task function. This is an unguarded remote-code execution capability when remote tasks are enabled (the default).
Static reason
No blocking static signals were detected.
Trigger
A consumer initializes Supabase and runs Node task/repository resolution with no local task entry.
Impact
A party able to alter the configured Supabase task-script records can run arbitrary Node code in the consumer's task-worker process.
Mechanism
Configured-Supabase script fetch → temporary ESM write → dynamic import → task function invocation.
Rationale
This package contains a concrete high-risk remote task execution primitive, but source inspection does not show stealth, unsolicited install-time execution, a hard-coded attacker endpoint, or data theft. Treat it as a dangerous capability requiring a warning rather than confirmed malware.
Evidence
package.jsonsrc/repo/repo-manager.tssrc/repo/repo.script-loader.tssrc/task/task-node.tsdist/node.js
Decision evidence
public snapshotAI called this Suspicious at 92.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `src/repo/repo-manager.ts` fetches task script records from configured Supabase.
- `src/repo/repo-manager.ts` enables remote resolution by default (`includeRemote = true`).
- `src/repo/repo.script-loader.ts` writes inline ESM source to a temp file then dynamically imports it.
- `src/task/task-node.ts` invokes the resolved `taskFn`, executing loaded task code.
- The same loader and default remote path are shipped in `dist/node.js`.
Evidence against
- `package.json` has no `preinstall`, `install`, or `postinstall` hook.
- No hard-coded network host, credential exfiltration, shell execution, or AI-agent config mutation was found.
- Runtime network configuration requires caller-provided Supabase environment values.
- The remote-code path is part of the documented task/repository execution design, not import-time behavior.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStrings
Source & flagged code
1 flagged · loading sourcedist/node.jsView file
919}
L920: /** `file://` href for Node dynamic `import()` of a local module. */
L921: function toFileImportHref(filePath) {
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/node.jsView on unpkg · L919Findings
3 Medium3 Low
MediumDynamic Requiredist/node.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings