AI Security Review
scanned 3h ago · by lpm-firewall-aiNo confirmed malicious behavior was found in runtime source. The only non-clean control surface is the prepare lifecycle hook that invokes Husky.
Static reason
No blocking static signals were detected.
Trigger
npm prepare lifecycle during source/git installation
Impact
May alter local VCS hook configuration; no credential exfiltration, remote execution, or destructive package behavior was established.
Mechanism
Husky lifecycle invocation for VCS-hook setup
Rationale
Source inspection found no concrete malware or unconsented broad control-surface mutation. The prepare-only Husky hook warrants a non-blocking warning under policy.
Evidence
package.jsonsrc/index.jssrc/utils.jssrc/client.jssrc/onedrive.jssrc/onedrive.cmd.js
Decision evidence
public snapshotAI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- package.json defines a prepare lifecycle hook: "husky".
- The lifecycle hook can initialize VCS hooks during source/git installs.
Evidence against
- src/index.js only runs when the 1d CLI entrypoint is invoked.
- src/utils.js dynamically imports only packaged .js command modules from src/excel.
- src/client.js uses Azure credentials for explicit OneDrive authentication and stores local state/cache files.
- src/onedrive.js file reads, writes, uploads, downloads, and subscription changes are explicit CLI commands.
- No child-process, eval/vm, shell execution, remote payload loader, or AI-agent config writes found.
Behavioral surface
CryptoDynamicRequireEnvironmentVarsFilesystem
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcesrc/utils.jsView file
19// eslint-disable-next-line no-await-in-loop
L20: const cmd = (await import(path.resolve(dir, filename))).default;
L21: yargs.command(cmd);
Medium
Dynamic Require
Package source references dynamic require/import behavior.
src/utils.jsView on unpkg · L19Findings
2 Medium5 Low
MediumDynamic Requiresrc/utils.js
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings