AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. Explicit `npx @7n/rules` synchronization modifies project AI-agent configuration and installs package-owned hook scripts. Explicit skill commands can start ACP agents with automatically selected permissions. No install-time execution is present.
Decision evidence
public snapshot- `bin/n-rules.js` default sync writes project agent files.
- `scripts/sync-claude-config.mjs` installs executable Claude hook scripts.
- `scripts/lib/acp-runner.mjs` auto-approves ACP agent permissions.
- `scripts/lib/resolve-plugins.mjs` can run `bun add -d` for detected plugins.
- `package.json` has no preinstall/install/postinstall lifecycle hooks.
- Agent mutations require explicit CLI execution, not package installation.
- Source names and documents the managed `.claude`, `.cursor`, and `.pi` files.
- No confirmed credential harvesting, hidden payload execution, or arbitrary exfiltration found.
Source & flagged code
7 flagged · loading sourcePackage source references dynamic require/import behavior.
scripts/smoke-check-imports.mjsView on unpkg · L49Package source invokes a package manager install command at runtime.
scripts/lib/resolve-plugins.mjsView on unpkg · L9Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.
.claude-template/hooks/normalize-decisions.shView on unpkgPackage ships non-JavaScript build or shell helper files.
.claude-template/hooks/normalize-decisions.shView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
scripts/lib/acp-runner.mjsView on unpkg