AI Security Review
scanned 3h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `astro-blocks init-ai` (optionally with `--copy` or `--file`).
Impact
Can influence future AI-agent behavior in that project through user-requested configuration mutation.
Mechanism
Appends package AI-context reference or copied content to agent instruction files.
Rationale
Source inspection confirms an explicit-user AI configuration mutation, which warrants a warning under the stated policy. It is not malicious because there is no install-time trigger or concrete harmful chain.
Evidence
package.jsondist/plugin/cli/index.jsdist/plugin/cli/init-ai.jsAGENTS.consumer.mddist/plugin/index.jsdist/utils/paths.jsAGENTS.mdCLAUDE.md.astro-blocks/runtime.mjs.astro-blocks/schema-map.mjs
Decision evidence
public snapshotAI called this Suspicious at 96.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `astro-blocks init-ai` explicitly appends AI context to consumer `AGENTS.md` or `CLAUDE.md`.
- `--file` lets the explicit CLI action select a caller-supplied target path.
- Copy mode reads and embeds `AGENTS.consumer.md` into the selected agent-instruction file.
Evidence against
- `package.json` has no `preinstall`, `install`, `postinstall`, or `prepare` lifecycle hook.
- CLI wiring exposes the mutation only through the user-invoked `init-ai` subcommand.
- `AGENTS.consumer.md` contains package integration documentation, not credential collection or instruction-bypass content.
- No child-process execution, eval/vm use, remote payload loading, or external network endpoint was found.
- Runtime file writes generate package-owned `.astro-blocks` artifacts; upload handling uses contained project paths.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/api/manifest.jsView file
8import { DATA_SCHEMA_VERSION } from './schema-version.js';
L9: const require = createRequire(import.meta.url);
L10: /**
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/api/manifest.jsView on unpkg · L8dist/routes/uploads-get.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = @astroblocks/astro-blocks@3.4.0
matchedIdentity = npm:[redacted]:3.4.0
similarity = 0.385
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/routes/uploads-get.jsView on unpkgFindings
1 High3 Medium4 Low
HighPrevious Version Dangerous Deltadist/routes/uploads-get.js
MediumDynamic Requiredist/api/manifest.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings