loki-mode

The Loki Mode script is a feature-rich autonomous runner with several protective and auditing mechanisms. However, it introduces meaningful security and supply-chain risks through perpetual operation, self-copy behavior, risky AI invocation (dangerously-skip-permissions), and local exposure via dashboards and state files. While no explicit malware is evident in this fragment, its design enables aggressive automation with substantial attack surface in open-source usage. Hardenings recommended: remove or clearly document self-copy behavior for auditability; avoid or constrain PERPETUAL_MODE; tighten AI permissions (avoid dangerous flags); sandbox Claude outputs; implement strict input sanitization for PRD and codebase data; lock down local dashboard exposure; and add explicit access controls and non-persistent state when used in untrusted environments.