AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious behavior or install-time attack was found. The notable risk is an explicit user-command path that installs first-party AI-agent skill/rule files into coding-host directories.
Static reason
No blocking static signals were detected.
Trigger
User runs `vise install-skill` or calls MCP/CLI tools such as `run_sensors`, docs, design, compliance, or block install commands.
Impact
Can modify project/local agent configuration and run detected project commands only through user-invoked tools; no unconsented install-time mutation or exfiltration observed.
Mechanism
explicit CLI/MCP project assistant with local sidecar writes and first-party agent skill setup
Rationale
Static inspection found no lifecycle hook, import-time payload, credential harvesting, or suspicious remote execution. Because the package includes explicit first-party agent skill installation into broad coding-agent surfaces, it fits a warning-level agent extension lifecycle risk rather than a publish block.
Evidence
package.jsondist/server.jsdist/tools/docs.jsdist/tools/sdkVersion.jsdist/tools/sensors.jsdist/tools/design.jsdist/tools/compliance.jsdist/tools/blocks.js.codex/skills/social-plus-vise.claude/skills/social-plus-vise.cursor/skills/social-plus-vise.cursor/rules/social-plus-vise.mdc.github/skills/social-plus-vise.agents/skills/social-plus-visesp-vise/*src/styles/social-plus-tokens.css
Network endpoints2
learn.social.plusregistry.npmjs.org
Decision evidence
public snapshotAI called this Suspicious at 84.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- dist/server.js exposes explicit `vise install-skill` command that copies bundled skill files into `.codex`, `.claude`, `.cursor`, `.github`, or `.agents` host directories.
- dist/server.js can remove legacy `social-plus-foundry` skill/rule files during explicit install-skill migration.
- dist/tools/sensors.js can spawn detected project build/test commands when the user calls `run_sensors` without dryRun.
Evidence against
- package.json has no preinstall/install/postinstall lifecycle hooks; only prepack/postpack scripts are declared.
- dist/server.js defaults to CLI/MCP server behavior and does not auto-install agent instructions on import or package install.
- Agent-control writes are package-owned guidance files and require explicit `vise install-skill` invocation or target flags.
- Network use is package-aligned docs/registry lookup: `https://learn.social.plus` and `https://registry.npmjs.org`; no credential exfiltration endpoint found.
- Filesystem writes are local sidecar/project outputs such as `sp-vise/*`, design tokens, block installs, and skill installation paths.
- No eval/vm/Function/native binary loading found; child_process use is limited to user-invoked sensor commands.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•scripts registry_only=bench,bench:audit-boundaries,bench:experience-calibration,bench:experience-calibration:advisory-seeds,bench:experience-calibration:conditional-feasibility,bench:experience-calibration:dogfood-preview,bench:experience-calibration:dogfood-summary,bench:experience-calibration:gate3-advisory-quality; devDependencies registry_only=@amityco/social-plus-schemas,@types/node,ajv,typescript
Critical
Manifest Confusion
Tarball package.json differs from the npm registry version manifest for scripts or dependency sets.
package.jsonView on unpkgFindings
1 Critical2 Medium5 Low
CriticalManifest Confusionpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License