AI Security Review
scanned 3d ago · by lpm-firewall-aiNo confirmed malicious attack surface is established by static inspection. The package is a user-invoked local AI orchestration server with optional integrations and setup helpers.
Decision evidence
public snapshot- User-invoked setup.js can write Claude Code hooks in ~/.claude/settings.json.
- CLI uses child_process to spawn its server and optional mkcert/tail commands.
- package.json has no install/preinstall/postinstall lifecycle hooks.
- bin entrypoint dist/src/packages/server/cli.js only runs when tide-commander is invoked.
- Network use is package-aligned: local server/KRunner APIs and npm version check.
- dist/assets index secret hits are UI placeholders/config fields, not embedded credentials.
- KRunner install script is explicit user-run integration copying local helper files.
- No credential harvesting, exfiltration, persistence-on-install, or destructive behavior found.
Source & flagged code
7 flagged · loading sourcePackage contains a critical-looking secret pattern.
dist/assets/index-BLMHzq1V.jsView on unpkg · L5OpenSSH private key in dist/assets/index-BLMHzq1V.js
dist/assets/index-BLMHzq1V.jsView on unpkg · L5Package source references dynamic require/import behavior.
dist/assets/pdf.worker.min-FHbmGBN0.mjsView on unpkg · L24Package source references a known benign dynamic code generation pattern.
dist/assets/pdf.worker.min-FHbmGBN0.mjsView on unpkg · L24Package source references weak cryptographic algorithms.
dist/src/packages/server/integrations/whatsapp/whatsapp-trigger-handler.jsView on unpkg · L134Package ships non-JavaScript build or shell helper files.
scripts/krunner/install-krunner-integration.shView on unpkgPackage contains source files above the static scanner size ceiling.
dist/assets/main-DVOwU_fp.jsView on unpkg