AI Security Review
scanned 4d ago · by lpm-firewall-aiNo confirmed malicious install-time or import-time behavior was found. The package does expose powerful local GUI/CLI automation surfaces, including arbitrary command execution and Claude Code execution with skipped permissions, so it is risky if exposed to an untrusted local browser context.
Decision evidence
public snapshot- src/ui/server/routes/exec.js exposes /api/exec-stream that spawns arbitrary user-supplied commands in project cwd.
- src/ui/server/routes/workbench/taskRunner.js launches claude with --permission-mode bypassPermissions and --dangerously-skip-permissions from GUI tasks.
- src/ui/server/routes/terminal.js can open a terminal and run supplied commands.
- src/ui/server/routes/npm.js supports self-upgrade via npm install -g zen-gitsync and checks registry.npmjs.org.
- scripts/release.js mutates package.json and publishes to npm, but only under explicit npm run release.
- package.json has no install/preinstall/postinstall lifecycle hooks.
- index.js only exports config and startServer; it does not start the server or run commands on import.
- src/gitCommit.js command execution is CLI/user-invoked and centered on git commit/pull/push workflow.
- No source-inspected credential harvesting or covert exfiltration endpoint was found.
- Network use is package-aligned: npm registry update checks and user-configured OpenAI-compatible LLM base URLs.
Source & flagged code
9 flagged · loading sourcePackage source references child process execution.
scripts/run-tests.cjsView on unpkg · L19A single source file combines environment access, network access, and code or shell execution; review context before blocking.
src/ui/server/routes/npm.jsView on unpkg · L172Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
src/ui/server/routes/npm.jsView on unpkg · L6Source mutates package metadata and republishes itself to npm.
scripts/release.jsView on unpkg · L7Package source invokes a package manager install command at runtime.
scripts/release.jsView on unpkg · L25Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
src/ui/public/assets/html.worker-BO6WuOEO.jsView on unpkg · L29Package contains source files above the static scanner size ceiling.
src/ui/public/assets/vendor-DTvkqYXo.jsView on unpkgTarball package.json differs from the npm registry version manifest for scripts or dependency sets.
package.jsonView on unpkg