AI Security Review
scanned 2d ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Decision evidence
public snapshot- `bin/run.mjs` explicitly copies `template/.opencode` into the target project and replaces `AGENTS.md`.
- `bin/run.mjs` runs `npm install @sentropic/graphify` and invokes `npx graphify` after CLI execution.
- `bin/run.mjs` supports `dev --wrap`, changing the target `package.json` dev script to `scripts/ym-dev.mjs`.
- `template/scripts/ym-dev.mjs` executes the saved original dev command and logs its output locally.
- `package.json` contains no npm lifecycle hooks.
- No inspected source uses HTTP clients, sockets, webhooks, or hard-coded exfiltration endpoints.
- Mutations occur only after explicit CLI/subcommand use; install paths honor `--dry-run`.
- No remote payload loading, `eval`, credential harvesting, or stealth persistence was found.
Source & flagged code
3 flagged · loading sourceThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
bin/run.mjsView on unpkgPackage source invokes a package manager install command at runtime.
bin/run.mjsView on unpkg · L2