AI Security Review
scanned 3h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious install-time or import-time attack surface was found. The package intentionally creates and runs AI-agent minds with broad permissions and generated hooks, which is a first-party agent lifecycle risk rather than covert malware.
Decision evidence
public snapshot- templates/claude/src/agent.ts runs Claude SDK with permissionMode bypassPermissions and allowDangerouslySkipPermissions.
- templates/codex/src/agent.ts resumes Codex threads with sandboxMode danger-full-access and networkAccessEnabled true.
- templates/claude/.init/.claude/settings.json installs a SessionStart command hook in generated mind templates.
- dist/chunk-JO5IO4FH.js supports user-invoked extension npm install, but uses --ignore-scripts.
- package.json has no preinstall/install/postinstall; prepare is lefthook install for dev/git lifecycle.
- dist/cli.js only dispatches explicit CLI commands and localhost daemon extension commands.
- Network use is package-aligned: localhost daemon, npm update flow, volute.systems account/cloud APIs, OpenRouter embedding config.
- templates/_base/.init/.local/hooks/wake-context.sh is a benign empty hook stub with comments only.
- No credential harvesting or exfiltration to unrelated endpoints found in inspected source.
Source & flagged code
11 flagged · loading sourcePackage source references child process execution.
dist/chunk-JZ62SYWR.jsView on unpkg · L9This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/chunk-JO5IO4FH.jsView on unpkgSource spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
dist/chunk-JO5IO4FH.jsView on unpkg · L108Package source references dynamic require/import behavior.
dist/chunk-JO5IO4FH.jsView on unpkg · L936Source writes installer persistence such as shell profile or service configuration.
dist/chunk-CDPBTTZO.jsView on unpkg · L11A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/daemon.jsView on unpkg · L623Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
dist/daemon.jsView on unpkg · L632Package source invokes a package manager install command at runtime.
dist/daemon.jsView on unpkg · L7381Package ships non-JavaScript build or shell helper files.
dist/skills/dreaming/scripts/wake-context-dreams.shView on unpkgPackage hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.
templates/_base/.init/.local/hooks/wake-context.shView on unpkg