AI Security Review
scanned 9d ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. The package is a developer configuration CLI with powerful but package-aligned, user-invoked project maintenance actions.
Decision evidence
public snapshot- src/index.ts exposes user-invoked commands that run bunx tools, kill requested ports, and import local 10stars.config.
- src/index.ts prepare action writes project config and calls husky/setup helpers when explicitly run.
- src/manage-overrides.ts can rewrite package.json overrides and run bun install from the CLI prepare flow.
- package.json has no install/postinstall/prepare lifecycle; only prepublishOnly for publisher-side checks.
- package.json bin points to src/index.ts; behavior is CLI-activated, not import-time or install-time.
- src/vscode-config.ts writes only .vscode/extensions.json and .vscode/settings.json with fixed editor settings.
- src/patch-vanilla-extract.ts only patches installed @vanilla-extract integration files under node_modules.
- No network fetch/exfiltration endpoints or credential harvesting found by source inspection.
- No AI-agent control-surface files such as CLAUDE.md, .mcp.json, Codex/Cursor configs, or home-agent paths found.
Source & flagged code
4 flagged · loading sourcePackage source references child process execution.
src/vscode-config.tsView on unpkg · L1Package source references dynamic require/import behavior.
src/link-packages.tsView on unpkg · L21Package source invokes a package manager install command at runtime.
src/manage-overrides.tsView on unpkg · L60This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
src/index.tsView on unpkg