AI Security Review
scanned 3h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.
Trigger
User adds the documented sync-ai-rules/postinstall script or manually runs scripts/sync.js; later Claude SessionStart runs .claude/setup.sh.
Impact
Creates or updates project agent rule files and a Claude SessionStart hook; setup.sh may install nvm and run npm ci for the project.
Mechanism
explicit user-command AI-agent config mutation and dependency bootstrap
Rationale
Source inspection shows documented, user-invoked AI-agent setup with broad project file writes and a Claude hook, so it merits warning under the agent control-surface policy. There is no hidden package lifecycle hook, credential exfiltration, destructive behavior, or remote payload execution sufficient to block publishing.
Evidence
package.jsonREADME.mdscripts/sync.jsscripts/setup.shscripts/execAndLog.jsskills/frontend-ui-verification/scripts/inspect-ui-verification-surface.shskills/cognito-user-analysis/scripts/check-prerequisites.sh.rules/.agents/AGENTS.mdCLAUDE.md.claude/setup.sh.claude/settings.json$CLAUDE_ENV_FILE$HOME/.cache/agent-deps
Network endpoints2
raw.githubusercontent.com/nvm-sh/nvm/v0.40.4/install.shapi.clipboard.health/api/user/agentSearch
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- README.md instructs consumers to add a postinstall script invoking scripts/sync.js.
- scripts/sync.js writes .rules/, .agents/, AGENTS.md, CLAUDE.md, .claude/setup.sh, and .claude/settings.json.
- scripts/sync.js adds a Claude SessionStart hook for "$CLAUDE_PROJECT_DIR"/.claude/setup.sh.
- scripts/setup.sh can install nvm via curl|bash and run npm ci when the Claude hook/direct setup runs.
Evidence against
- package.json itself has no preinstall/install/postinstall lifecycle hook, bin, main, dependencies, or runtime entrypoint.
- The sync behavior is documented in README.md and requires an explicit consumer script or direct node invocation.
- scripts/sync.js removes only its known Claude hook commands and preserves unrelated settings entries.
- No credential harvesting or exfiltration path found; NPM_TOKEN/1Password handling is used only to run npm commands.
- Network use found is package-aligned setup/tooling, not remote payload execution beyond documented nvm installer.
Behavioral surface
ChildProcessFilesystem
HighEntropyStrings
Source & flagged code
1 flagged · loading sourcescripts/setup.shView file
•path = scripts/setup.sh
kind = build_helper
sizeBytes = 7027
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
scripts/setup.shView on unpkgFindings
2 Medium3 Low
MediumShips Build Helperscripts/setup.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings