AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Decision evidence
public snapshot- `package.json` runs `hooks/postinstall.js` on install.
- `hooks/sqliteRuntime.js` installs `sql.js` and `better-sqlite3` into `~/.9router/runtime`.
- `hooks/trayRuntime.js` installs `systray2`, removes legacy tray files, and chmods its binary.
- `app/src/mitm/server.js` is a bundled MITM proxy targeting Copilot, Cursor, Kiro, and Antigravity hosts.
- MITM code stores intercepted request/response data under the package data directory.
- Postinstall only provisions declared runtime dependencies; it does not configure foreign AI-agent files.
- Runtime installs use npm with fixed package names and versions where specified.
- No credential harvesting or unrelated exfiltration path was confirmed.
- MITM targets are explicit product functionality and activation is runtime/user-driven.
Source & flagged code
17 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgPackage contains a critical-looking secret pattern.
app/.next-cli-build/server/chunks/2521.jsView on unpkg · L1RSA private key in app/.next-cli-build/server/chunks/2521.js
app/.next-cli-build/server/chunks/2521.jsView on unpkg · L1Package source references child process execution.
app/_nm/next/dist/server/lib/start-server.jsView on unpkg · L33Package source references shell execution.
app/_nm/next/dist/next-devtools/server/launch-editor.jsView on unpkg · L371Package source references dynamic code evaluation.
app/_nm/next/dist/compiled/browserslist/index.jsView on unpkg · L1Package source references dynamic require/import behavior.
app/server.jsView on unpkg · L1Package source references weak cryptographic algorithms.
app/_nm/next/dist/compiled/@edge-runtime/primitives/load.jsView on unpkg · L39Source writes installer persistence such as shell profile or service configuration.
src/cli/tray/autostart.jsView on unpkg · L3A single source file combines environment access, network access, and code or shell execution; review context before blocking.
app/src/mitm/server.jsView on unpkg · L24Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
app/src/mitm/server.jsView on unpkg · L24Package source invokes a package manager install command at runtime.
app/src/lib/updater/updater.jsView on unpkg · L1Package ships non-JavaScript build or shell helper files.
src/cli/tray/tray.ps1View on unpkgPackage ships high-entropy non-source blobs.
app/.next-cli-build/static/media/ba9851c3c22cd980-s.woff2View on unpkgPackage contains source files above the static scanner size ceiling.
app/_nm/playwright-core/lib/utilsBundle.jsView on unpkgRSA private key in app/.next-cli-build/server/chunks/7947.js
app/.next-cli-build/server/chunks/7947.jsView on unpkg · L1