registry  /  @contextium/cli  /  1.8.1

@contextium/cli@1.8.1

Command-line tool for managing Contextium documentation, agents, skills, and workflows — pipe context to AI coding assistants

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package exposes explicit setup commands that configure AI assistant integrations and permission allowlists for Contextium. This is a lifecycle/control-surface risk but not a confirmed malicious chain because activation is user-invoked and package-aligned.

Static reason
No blocking static signals were detected.
Trigger
User runs contextium setup-claude, setup-cursor, setup-codex, or setup-copilot
Impact
May reduce prompts or install Contextium hooks for supported assistants; no install-time mutation or exfiltration was found.
Mechanism
first-party AI assistant integration setup with MCP registration, prompts/instructions, allowlists, and optional hooks
Rationale
Static source inspection found explicit AI assistant setup that modifies control surfaces and can reduce prompts, so a warning is appropriate under the policy. No concrete malicious behavior, install-time mutation, credential harvesting, destructive action, or non-package-aligned exfiltration was identified.
Evidence
package.jsondist/index.jsdist/commands/setup-claude.jsdist/lib/claude-permissions.jsdist/commands/setup-cursor.jsdist/commands/setup-codex.jsdist/commands/setup-copilot.jshooks/ium-check-update.jsdist/lib/msal.jsdist/lib/api-client.js~/.claude/settings.json~/.claude/hooks/ium-check-update.js~/.claude/hooks/ium-statusline.js~/.claude/commands/ium/*.md~/.cursor/mcp.json~/.cursor/permissions.json~/.cursor/rules/contextium.mdc~/.codex/config.toml~/.codex/AGENTS.md~/.codex/prompts/*.md.vscode/mcp.json.github/copilot-instructions.md.github/prompts/*.prompt.md.contextiumrc.contextium-cache~/.contextium/msal-cache.json
Network endpoints7
api.contextium.io/api/v1auth.contextium.io/9b6eccb4-2057-43a8-be7f-f558ad8e7bc1mcp.contextium.io/ssecontextium.io/pricinggithub.com/contextium-io/contextium.gitcontextium.io/docs/cligithub.com/contextium-io/contextium/issues

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/commands/setup-claude.js installs Claude Code permissions, /ium commands, and global hooks only when the user runs setup-claude.
  • dist/lib/claude-permissions.js adds allow rules for Bash contextium * and mcp__contextium__*, and registers SessionStart/statusLine hooks under ~/.claude.
  • dist/commands/setup-cursor.js writes Cursor MCP config and mcpAllowlist for Contextium tools under ~/.cursor or ./.cursor.
  • dist/commands/setup-codex.js writes ~/.codex/config.toml, AGENTS.md, prompts, and has an opt-in --no-prompt path setting approval_policy = never.
  • hooks/ium-check-update.js spawns npm view/npm list in a Claude hook to check Contextium package updates.
Evidence against
  • package.json has no preinstall/install/postinstall hooks; only prepublishOnly build.
  • dist/index.js only registers commander CLI commands; setup behavior is explicit user-invoked.
  • Network endpoints are package-aligned: api.contextium.io, auth.contextium.io, mcp.contextium.io, npm registry via npm view.
  • Auth/token handling uses MSAL cache under ~/.contextium and Contextium API bearer headers, not broad credential harvesting.
  • No evidence of eval/vm/Function, native binary loading, destructive behavior, stealth persistence, or unconsented install-time AI-agent mutation.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 59 file(s), 400 KB of source, external domains: api.contextium.io, mcp.contextium.io

Source & flagged code

5 flagged · loading source
dist/commands/setup-claude.jsView file
Published source reference
Medium
Ai Review Evidence

dist/commands/setup-claude.js installs Claude Code permissions, /ium commands, and global hooks only when the user runs setup-claude.

dist/commands/setup-claude.jsView on unpkg
dist/lib/claude-permissions.jsView file
Published source reference
Medium
Ai Review Evidence

dist/lib/claude-permissions.js adds allow rules for Bash contextium * and mcp__contextium__*, and registers SessionStart/statusLine hooks under ~/.claude.

dist/lib/claude-permissions.jsView on unpkg
dist/commands/setup-cursor.jsView file
Published source reference
Medium
Ai Review Evidence

dist/commands/setup-cursor.js writes Cursor MCP config and mcpAllowlist for Contextium tools under ~/.cursor or ./.cursor.

dist/commands/setup-cursor.jsView on unpkg
dist/commands/setup-codex.jsView file
Published source reference
Medium
Ai Review Evidence

dist/commands/setup-codex.js writes ~/.codex/config.toml, AGENTS.md, prompts, and has an opt-in --no-prompt path setting approval_policy = never.

dist/commands/setup-codex.jsView on unpkg
hooks/ium-check-update.jsView file
Published source reference
Medium
Ai Review Evidence

hooks/ium-check-update.js spawns npm view/npm list in a Claude hook to check Contextium package updates.

hooks/ium-check-update.jsView on unpkg

Findings

7 Medium5 Low
MediumNetwork
MediumEnvironment Vars
MediumAi Review Evidencedist/commands/setup-claude.js
MediumAi Review Evidencedist/lib/claude-permissions.js
MediumAi Review Evidencedist/commands/setup-cursor.js
MediumAi Review Evidencedist/commands/setup-codex.js
MediumAi Review Evidencehooks/ium-check-update.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings