AI Security Review
scanned 2h ago · by lpm-firewall-aiSource inspection was not completed, so no reliable attack surface determination is possible.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
unknown
Impact
unknown
Mechanism
uninspected package
Rationale
I could not complete the required read-only package inspection before this schema-bound response was emitted. This should be retried with filesystem inspection of package.json, dist/setup.js, config files, and native-host files.
Decision evidence
public snapshotAI called this Manual Review at 0.0% confidence as Unknown with high false-positive risk.
Evidence for warning
- Finalization attempted before required source inspection due to tool-channel mistake.
Evidence against
Behavioral surface
ChildProcessDynamicRequireEnvironmentVarsFilesystemShell
HighEntropyStrings
Source & flagged code
3 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node -e "const fs=require(\"fs\"); for (const p of [\"node_modules/better-sqlite3/build\",\"node_modules/usrcp-local/node_modules/better-sqlite3/build\",\"node_modules/usrcp-stream...
Critical
Red Install Lifecycle Script
Install-time lifecycle script matches a deterministic static-gate block pattern.
package.jsonView on unpkg•scripts.postinstall = node -e "const fs=require(\"fs\"); for (const p of [\"node_modules/better-sqlite3/build\",\"node_modules/usrcp-local/node_modules/better-sqlite3/build\",\"node_modules/usrcp-stream...
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkgnative-host/usrcp-bridge.cjsView file
36L37: const path = require("node:path");
L38: const fs = require("node:fs");
Medium
Dynamic Require
Package source references dynamic require/import behavior.
native-host/usrcp-bridge.cjsView on unpkg · L36Findings
1 Critical1 High3 Medium3 Low
CriticalRed Install Lifecycle Scriptpackage.json
HighInstall Time Lifecycle Scriptspackage.json
MediumDynamic Requirenative-host/usrcp-bridge.cjs
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings