AI Security Review
scanned 10d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a developer configuration CLI with user-invoked commands that can format, lint, typecheck, update project config, run user-provided commands, or kill requested ports.
Decision evidence
public snapshot- package.json has only prepublishOnly; no install/postinstall/prepare lifecycle for consumers
- src/index.ts CLI dispatch requires explicit command and prints help by default
- src/index.ts prepare is user-invoked and skips in CI; it runs husky, VSCode setup, overrides, and optional local package linking
- src/vscode-config.ts writes only project .vscode/extensions.json and settings.json with editor config
- src/manage-overrides.ts edits project package.json overrides and runs bun install only during explicit prepare
- No network endpoints, credential harvesting, AI-agent control-surface writes, or import-time payload found
Source & flagged code
4 flagged · loading sourcePackage source references child process execution.
src/vscode-config.tsView on unpkg · L1Package source references dynamic require/import behavior.
src/link-packages.tsView on unpkg · L21Package source invokes a package manager install command at runtime.
src/manage-overrides.tsView on unpkg · L60This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
src/index.tsView on unpkg