AI Security Review
scanned 3h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Decision evidence
public snapshot- `src/commands/update.js` can overwrite project `AGENTS.md` after `uniweb update`.
- The update command may run the chosen package manager to align Uniweb dependencies.
- `src/utils/registry-auth.js` stores backend bearer sessions in `~/.uniweb/registry-auth.json`.
- `package.json` defines no preinstall/install/postinstall lifecycle hook.
- `src/commands/update.js` limits `AGENTS.md` writes to a Uniweb workspace and prompts unless `--yes` or explicit modes are used.
- `partials/agents.md` is framework developer documentation, not prompt-control instructions.
- Network calls are tied to explicit template, update, login, registry, and deployment commands.
Source & flagged code
5 flagged · loading sourceThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
src/index.jsView on unpkgPackage source references dynamic require/import behavior.
src/index.jsView on unpkg · L205Package source invokes a package manager install command at runtime.
src/commands/register.jsView on unpkg · L275