AI Security Review
scanned 3h ago · by lpm-firewall-aiLPM blocks this version under the AI-agent control-surface policy. Confirmed unconsented postinstall mutation of broad AI-agent control surfaces in the installing project. This can cause future Codex/Claude/Cursor/OpenCode/Pi/MCP sessions to load package-supplied instructions and MCP configuration.
Decision evidence
public snapshot- package.json defines postinstall: node bin/sync.mjs.
- bin/sync.mjs runs at install using INIT_CWD/process.cwd as PROJECT_DIR, outside package root.
- bin/sync.mjs creates symlinks into consumer AI-agent control paths: .cursor, .claude, .codex, .opencode, .pi, .mcp.json.
- bin/sync.mjs also mutates existing consumer opencode.json to add .opencode/instructions.md.
- .codex/config.toml and .mcp.json configure MCP servers/agent models under package control.
- The hook skips only when running inside the harness repo; normal consumers receive these changes during npm install.
- bin/sync.mjs avoids overwriting existing real files and leaves conflicting symlinks alone.
- Inspected ingest/crawler code shows user-invoked crawling and API ingest rather than install-time credential exfiltration.
- No hardcoded malicious exfiltration endpoint found in the lifecycle hook.
- Agent instructions are aligned with the public-leads harness purpose and include safety limits.
- CLI child_process usage in bin/lead-harness.mjs dispatches package/user-invoked helper commands.
Source & flagged code
4 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgPackage source references weak cryptographic algorithms.
lib/leadharness-crawler.mjsView on unpkg · L1Install-time source drops package-supplied AI-agent/MCP control files or instructions.
bin/sync.mjsView on unpkg · L1Package ships non-JavaScript build or shell helper files.
batch/batch-runner.shView on unpkg