AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.
Trigger
Explicit CLI/MCP invocation such as vise install-skill, search_docs, run_sensors, init/check/design/block commands.
Impact
Can modify AI-tool instruction directories or project files when invoked, but no unconsented install-time mutation or exfiltration was found.
Mechanism
User-command AI skill installation and local project helper automation.
Rationale
Source inspection shows package-aligned CLI/MCP functionality with user-invoked agent-skill installation, local sidecar writes, docs fetching, and validation sensors, but no concrete malicious chain or install-time mutation. Per policy this warrants a warning for explicit AI-agent control-surface setup rather than a publish block.
Evidence
package.jsondist/server.jsdist/tools/docs.jsdist/tools/sensors.jsdist/tools/blocks.jsdist/tools/design.jsdist/tools/compliance.jsskills/social-plus-vise/SKILL.md~/.codex/skills/social-plus-vise~/.claude/skills/social-plus-vise.claude/skills/social-plus-vise.agents/skills/social-plus-vise.cursor/skills/social-plus-vise.cursor/rules/social-plus-vise.mdc.github/skills/social-plus-visesp-vise/*src/styles/social-plus-tokens.css
Network endpoints4
learn.social.plus/llms-full.txtlearn.social.plus/llms.txtregistry.npmjs.orglearn.social.plus/feature-matrix#feature-matrix
Decision evidence
public snapshotAI called this Suspicious at 90.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- dist/server.js exposes explicit install-skill command writing bundled skill files into ~/.codex, ~/.claude, .cursor, .github, or project .agents paths.
- dist/server.js removes legacy social-plus-foundry skill/rule files during install-skill migration.
- dist/tools/sensors.js can spawn detected project build/test/typecheck commands when run_sensors is explicitly invoked.
- dist/tools/docs.js fetches docs from https://learn.social.plus by default and caches them under temp.
Evidence against
- package.json has no preinstall/install/postinstall lifecycle scripts; only prepack/postpack publish-time scripts are declared.
- dist/server.js starts CLI/MCP server only via bin entrypoint; no install-time execution found.
- Network endpoints are package-aligned docs/metadata, not credential exfiltration endpoints.
- File writes are local sidecar/project artifacts or explicit skill/block install actions, generally controlled by CLI/MCP tool arguments.
- No eval/vm/Function, remote payload loading, credential harvesting, persistence, or destructive broad filesystem behavior found.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•scripts registry_only=bench,bench:audit-boundaries,bench:experience-calibration,bench:experience-calibration:advisory-seeds,bench:experience-calibration:conditional-feasibility,bench:experience-calibration:dogfood-preview,bench:experience-calibration:dogfood-summary,bench:experience-calibration:gate3-advisory-quality; devDependencies registry_only=@amityco/social-plus-schemas,@types/node,ajv,typescript
Critical
Manifest Confusion
Tarball package.json differs from the npm registry version manifest for scripts or dependency sets.
package.jsonView on unpkgFindings
1 Critical2 Medium5 Low
CriticalManifest Confusionpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License