AI Security Review
scanned 1h ago · by lpm-firewall-aiAn authenticated registrant can persist an arbitrary MCP command and trigger its execution through the LLM route. The same route reads Cockpit credential files and can send the resulting token to direct external LLM endpoints.
Decision evidence
public snapshot- `server/api/settings/llm.put.ts` stores arbitrary `mcpServers` command strings per team.
- `server/api/llm/generate.post.ts` splits each stored string and launches it with `StdioClientTransport`.
- `server/api/auth/register.post.ts` permits registration and creates an OWNER/team without an invite.
- `server/api/llm/generate.post.ts` reads `~/.antigravity_cockpit` secrets/tokens.
- That route forwards the loaded token as Bearer auth to direct LLM-provider fallbacks.
- `package.json` postinstall only runs Nuxt/Prisma generation; no package payload launcher found.
- No `preinstall` or arbitrary shell command appears in lifecycle scripts.
- No hidden binary/native loader, eval, or encoded second-stage payload was found.
- WhatsApp and Crikket network clients are application-aligned runtime integrations.
- The password-reset utility is an explicit user-invoked database admin command.
Source & flagged code
5 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgPackage contains a possible secret pattern.
bin/reset-admin-password.tsView on unpkg · L77This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
server/utils/job-queue.tsView on unpkg