AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.
Trigger
User runs `ak-docs mcp install --cursor` or `ak-docs mcp install --claude`.
Impact
Adds an `ak-docs` MCP server entry that can launch `npx ak-docs mcp` for the project.
Mechanism
Explicit AI-agent MCP configuration mutation
Rationale
Source inspection confirms an explicit-user-command AI-agent configuration mutation, which warrants a warning under the stated policy. No concrete malicious behavior was found.
Evidence
package.jsonscripts/prepare.mjssrc/cli/program.tssrc/mcp/install.tssrc/mcp/server.tssrc/intelligence/peers.tssrc/federation/llms.tssrc/memory/github-pr.ts.cursor/mcp.json~/Library/Application Support/Claude/claude_desktop_config.json
Decision evidence
public snapshotAI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `src/mcp/install.ts` writes MCP configuration for Cursor or Claude Desktop.
- `src/cli/program.ts` exposes this only through explicit `ak-docs mcp install --cursor|--claude`.
- Claude target is `~/Library/Application Support/Claude/claude_desktop_config.json`; Cursor target is project `.cursor/mcp.json`.
- Configured server runs `npx ak-docs mcp` in the selected project.
Evidence against
- `package.json` has no preinstall/install/postinstall hook; `prepare` only builds missing `dist`.
- `src/mcp/install.ts` performs no network, credential, or environment harvesting.
- `src/mcp/server.ts` exposes local documentation tools and blocks `doc.get` paths escaping the project root.
- Dynamic imports in `src/intelligence/peers.ts` are named optional AgentsKit peers, not remote payload loading.
- Network fetches are user-configured federation reads or a manually invoked upstream-check script.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcedist/index.jsView file
3978try {
L3979: return await import(name);
L3980: } catch (error) {
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/index.jsView on unpkg · L3978Findings
4 Medium5 Low
MediumDynamic Requiredist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings