AI Security Review
scanned 4h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is an LM Studio agent-tool extension with explicit runtime file, shell, SSH, web, and memory capabilities; it has no install hook or foreign agent-control-surface mutation.
Decision evidence
public snapshot- package.json declares no npm lifecycle hook.
- src/index.ts only probes LM Studio on localhost before registration.
- Persistence is limited to package-owned LM Studio data paths.
- Shell, SSH, web, and file functions are explicit runtime tools.
- release/vibeLM-v0.2.4.zip contains matching source/build assets.
- tests/test_build.sh is an inert placeholder script.
Source & flagged code
9 flagged · loading sourceThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/toolsProvider.jsView on unpkgSource writes installer persistence such as shell profile or service configuration.
dist/toolsProvider.jsView on unpkg · L69Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.
tests/test_build.shView on unpkgPackage ships non-JavaScript build or shell helper files.
tests/test_build.shView on unpkgPackage ships high-entropy non-source blobs.
release/vibeLM-v0.2.4.zipView on unpkgPackage ships compressed or archive-like blobs.
release/vibeLM-v0.2.4.zipView on unpkgPackage ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.
release/vibeLM-v0.2.4.zipView on unpkg