AI Security Review
scanned 6d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a design-system CLI with explicit commands that can write project files, configure MCP entries for supported IDEs, run local setup commands, and send opt-out usage telemetry.
Decision evidence
public snapshot- Source inspection shows user-invoked MCP setup writes AI IDE config files under ~/.claude, ~/.cursor, ~/.codeium/windsurf, ~/.gemini/antigravity, and project .vscode.
- Telemetry posts command/version/OS/node metadata to PostHog after first-run opt-out notice; not credential/file harvesting.
- package.json has no preinstall/install/postinstall lifecycle hooks.
- dist/index.js only registers Commander CLI actions; MCP setup is exposed as explicit `ptb mcp setup` or MCP tool, not install/import-time mutation.
- dist/mcp/tools/setup-mcp-tool.js writes a fixed package-owned `ptb mcp --cwd` server entry, preserving existing JSON and not injecting prompts or remote payloads.
- dist/commands/init.js runtime `git init` and Storybook/package-manager steps are user-invoked init/document setup flows, with prompts for install steps when TTY.
- dist/utils/storybook-setup.js only runs package manager/Storybook commands after explicit user confirmation; non-TTY returns without running them.
- No evidence of credential exfiltration, destructive behavior, obfuscated payloads, eval/vm/Function, or native binary loading in reviewed hot paths.
Source & flagged code
5 flagged · loading sourcePackage source references child process execution.
dist/utils/storybook-setup.jsView on unpkg · L3Source writes installer persistence such as shell profile or service configuration.
dist/mcp/tools/action-tools.jsView on unpkg · L2Package source invokes a package manager install command at runtime.
dist/commands/init.jsView on unpkg · L450This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/verify/run-verify.jsView on unpkg