registry  /  @agent-pattern-labs/leads-rig  /  0.1.8

@agent-pattern-labs/leads-rig@0.1.8

Agentic public-web lead discovery harness with portable ingest artifacts

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Confirmed unconsented postinstall mutation of broad AI-agent control surfaces in the installing project. This can cause future Codex/Claude/Cursor/OpenCode/Pi/MCP sessions to load package-supplied instructions and MCP configuration.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install of @agent-pattern-labs/leads-rig@0.1.8 in a consumer project
Impact
Package-controlled agent instructions and MCP servers may influence later AI-agent behavior without an explicit setup command.
Mechanism
postinstall symlink/drop of agent and MCP config plus opencode.json mutation
Policy narrative
On npm install, package.json invokes bin/sync.mjs. The script resolves the consumer project via INIT_CWD/current working directory, then symlinks package-controlled configuration into multiple AI-agent surfaces and patches opencode.json to load package instructions. Existing real files are not overwritten, but absent control files are created automatically during install, before the user runs an explicit setup command.
Rationale
Source inspection confirms the scanner’s key finding: a postinstall hook mutates broad/foreign AI-agent control surfaces in the consumer project. Under the install-control-surface policy, this is publish-blocking even though the payload appears harness-aligned and no install-time exfiltration endpoint was found. Product guard normalized a concrete AI-agent control hijack publish_block to the blockable dangerous-capability shape.
Evidence
package.jsonbin/sync.mjs.codex/config.toml.mcp.json.cursor/mcp.json.claude/settings.json.opencode/instructions.mdbin/lead-harness.mjslib/leadharness-ingest.mjslib/leadharness-crawler.mjs.cursor/rules/main.mdc.claude/agents.opencode/skills/public-leads.md.opencode/agents.pi/skills.pi/promptsmodels.yamlmodestemplatesbatch/batch-runner.shAGENTS.harness.md

Decision evidence

public snapshot
AI called this Malicious at 93.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
  • package.json defines postinstall: node bin/sync.mjs.
  • bin/sync.mjs runs at install using INIT_CWD/process.cwd as PROJECT_DIR, outside package root.
  • bin/sync.mjs creates symlinks into consumer AI-agent control paths: .cursor, .claude, .codex, .opencode, .pi, .mcp.json.
  • bin/sync.mjs also mutates existing consumer opencode.json to add .opencode/instructions.md.
  • .codex/config.toml and .mcp.json configure MCP servers/agent models under package control.
  • The hook skips only when running inside the harness repo; normal consumers receive these changes during npm install.
Evidence against
  • bin/sync.mjs avoids overwriting existing real files and leaves conflicting symlinks alone.
  • Inspected ingest/crawler code shows user-invoked crawling and API ingest rather than install-time credential exfiltration.
  • No hardcoded malicious exfiltration endpoint found in the lifecycle hook.
  • Agent instructions are aligned with the public-leads harness purpose and include safety limits.
  • CLI child_process usage in bin/lead-harness.mjs dispatches package/user-invoked helper commands.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 13 file(s), 136 KB of source, external domains: cold-agent-leads.example.com, example.com, opencode.ai, www.linkedin.com

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node bin/sync.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
lib/leadharness-crawler.mjsView file
1import { createHash } from 'crypto'; L2: import { lookup, resolveMx } from 'dns/promises'; L3: import { existsSync, mkdirSync, readFileSync, renameSync, writeFileSync } from 'fs'; ... L314: L315: const html = (await response.text()).slice(0, MAX_BODY_CHARS); L316: const finalUrl = response.url || pageUrl;
Low
Weak Crypto

Package source references weak cryptographic algorithms.

lib/leadharness-crawler.mjsView on unpkg · L1
bin/sync.mjsView file
1Install-time AI-agent control hijack evidence: L5: lstatSync, L6: mkdirSync, L7: readFileSync, ... L9: symlinkSync, L10: writeFileSync, L11: } from 'fs'; ... L43: { src: '.cursor/iso-route.md', dst: '.cursor/iso-route.md' }, L44: { src: '.mcp.json', dst: '.mcp.json' }, L45: { src: '.claude/agents', dst: '.claude/agents' }, L46: { src: '.claude/settings.json', dst: '.claude/settings.json' }, L47: { src: '.claude/iso-route.resolved.json', dst: '.claude/iso-route.resolved.json' }, L48: { src: '.codex/config.toml', dst: '.codex/config.toml' }, Payload evidence from .mcp.json: L1: { L2: "mcpServers": {
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

bin/sync.mjsView on unpkg · L1
batch/batch-runner.shView file
path = batch/batch-runner.sh kind = build_helper sizeBytes = 655 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

batch/batch-runner.shView on unpkg

Findings

1 Critical1 High4 Medium5 Low
CriticalAi Agent Control Hijackbin/sync.mjs
HighInstall Time Lifecycle Scriptspackage.json
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperbatch/batch-runner.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptolib/leadharness-crawler.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings