registry  /  @agent-pattern-labs/leads-rig  /  0.1.9

@agent-pattern-labs/leads-rig@0.1.9

Agentic public-web lead discovery harness with portable ingest artifacts

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Installing the package runs an unprompted postinstall synchronizer in the consuming project. It injects package-controlled AI-agent configurations and instructions into several supported agent control surfaces.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review
Trigger
npm install executes `postinstall`
Impact
A package install can alter future agent behavior and configure local MCP commands in unrelated consumer projects.
Mechanism
consumer-project AI-agent configuration and instruction injection
Policy narrative
On installation, `bin/sync.mjs` resolves the consumer project from `INIT_CWD` or the current directory, then creates symlinks from this package into broad AI-agent configuration paths including Cursor, Claude, Codex, OpenCode, Pi, and root MCP configuration. It also rewrites an existing consumer `opencode.json` to reference package-supplied instructions. The injected MCP configuration specifies executable commands, including `npx -y @geometra/mcp@1.61.3`, making this an unconsented install-time mutation of foreign AI-agent control surfaces.
Rationale
Direct source inspection confirms unconsented postinstall modification of broad consumer AI-agent control surfaces. This meets the firewall block boundary even without separate credential theft or exfiltration.
Evidence
package.jsonbin/sync.mjs.mcp.json.cursor/mcp.json.codex/config.tomlopencode.json.claude/settings.json.claude/agents.opencode/instructions.md.opencode/skills.opencode/agents.pi/skills.pi/promptsAGENTS.harness.mdCLAUDE.harness.md

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for policy block
  • `package.json` defines `postinstall: node bin/sync.mjs`.
  • `bin/sync.mjs` selects consumer `INIT_CWD`/working directory.
  • Postinstall creates agent-control symlinks under `.cursor`, `.claude`, `.codex`, `.opencode`, `.pi`, and `.mcp.json`.
  • `bin/sync.mjs` modifies consumer `opencode.json` to load package instructions.
  • Dropped MCP configs invoke `npx -y @geometra/mcp@1.61.3` and `state-trace-mcp`.
Evidence against
  • Sync avoids overwriting existing real files or mismatched symlinks.
  • No source evidence of credential harvesting, exfiltration, or destructive deletion.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 15 file(s), 163 KB of source, external domains: api.github.com, bsky.app, cold-agent-leads.example.com, example.com, github.com, opencode.ai, public.api.bsky.app, www.facebook.com, www.instagram.com, www.linkedin.com, www.youtube.com, x.com

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.postinstall = node bin/sync.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
lib/leadharness-crawler.mjsView file
1import { createHash } from 'crypto'; L2: import { lookup, resolveMx } from 'dns/promises'; L3: import { existsSync, mkdirSync, readFileSync, renameSync, writeFileSync } from 'fs'; ... L314: L315: const html = (await response.text()).slice(0, MAX_BODY_CHARS); L316: const finalUrl = response.url || pageUrl;
Low
Weak Crypto

Package source references weak cryptographic algorithms.

lib/leadharness-crawler.mjsView on unpkg · L1
bin/sync.mjsView file
1Install-time AI-agent control hijack evidence: L5: lstatSync, L6: mkdirSync, L7: readFileSync, ... L9: symlinkSync, L10: writeFileSync, L11: } from 'fs'; ... L43: { src: '.cursor/iso-route.md', dst: '.cursor/iso-route.md' }, L44: { src: '.mcp.json', dst: '.mcp.json' }, L45: { src: '.claude/agents', dst: '.claude/agents' }, L46: { src: '.claude/settings.json', dst: '.claude/settings.json' }, L47: { src: '.claude/iso-route.resolved.json', dst: '.claude/iso-route.resolved.json' }, L48: { src: '.codex/config.toml', dst: '.codex/config.toml' }, Payload evidence from .mcp.json: L1: { L2: "mcpServers": {
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

bin/sync.mjsView on unpkg · L1
batch/batch-runner.shView file
path = batch/batch-runner.sh kind = build_helper sizeBytes = 655 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

batch/batch-runner.shView on unpkg
scripts/batch-orchestrator.mjsView file
matchType = normalized_sha256 matchedPackage = @agent-pattern-labs/leads-rig@0.1.8 matchedPath = scripts/batch-orchestrator.mjs matchedIdentity = npm:[redacted]:0.1.8 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

scripts/batch-orchestrator.mjsView on unpkg

Findings

1 Critical2 High4 Medium5 Low
CriticalAi Agent Control Hijackbin/sync.mjs
HighInstall Time Lifecycle Scriptspackage.json
HighKnown Malware Source Similarityscripts/batch-orchestrator.mjs
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperbatch/batch-runner.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptolib/leadharness-crawler.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings