AI Security Review
scanned 3h ago · by lpm-firewall-aiNo confirmed malicious install-time or import-time attack surface. Agent and MCP configuration changes are explicit, user-invoked, and consent-gated; network behavior is package-aligned job/auth/claim functionality.
Decision evidence
public snapshot- User-invoked init/statusline/spinner can modify Claude/Cursor/Gemini agent config after prompts
- dist/bin/claim-push-bg.js can POST claim state to terminalhire.com when opt-in marker and token exist
- Ships native keytar binary for local credential storage
- package.json postinstall only runs postinstall.js, which prints a notice and exits
- postinstall.js performs no file writes, network calls, or installer execution
- install.js and statusline-install.js require typed yes before writing ~/.claude/settings.json
- MCP config writes in dist/bin/jpi-init.js require per-host consent and only target terminalhire server entries
- Background claim push is gated by prior explicit consent/token files and sends bounded claim fields
- Network endpoints are product-aligned: terminalhire.com, GitHub OAuth/API, public job APIs
Source & flagged code
11 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgPackage source references child process execution.
dist/bin/jpi-chat.jsView on unpkg · L5088Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
dist/bin/jpi-chat.jsView on unpkg · L128Package source references a known benign dynamic code generation pattern.
dist/bin/jpi-dispatch.jsView on unpkg · L26046Package source references dynamic require/import behavior.
dist/bin/jpi-init.jsView on unpkg · L347A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/bin/jpi.jsView on unpkg · L5Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
dist/bin/jpi-sync.jsView on unpkg · L128This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/bin/claim-push-bg.jsView on unpkg