AI Security Review
scanned 3h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
A host application or agent explicitly invokes `ShellTools.runBackground`, `McpTools.mcpAdd`, or `McpTools.mcpTools`.
Impact
If an integrating agent passes untrusted input into these APIs, it can run local commands and persist command definitions under the customize-agent home directory; no automatic execution path was found.
Mechanism
Caller-controlled shell execution and first-party MCP command registration.
Rationale
Static inspection resolves this as a legitimate but high-privilege agent-tools library rather than malware. Its shell and MCP APIs are explicitly exported runtime features, with no lifecycle trigger, remote payload execution, credential access, foreign agent-surface mutation, or concealed loader. The residual risk is that an embedding agent could expose these user-controlled execution capabilities without adequate authorization controls.
Evidence
package.jsondist/index.jsdist/builtins/index.jsdist/builtins/shell-tools.jsdist/builtins/mcp-tools.jsdist/network-tools.jsdist/core/workspace-snapshot.jsdist/sandbox/sandbox-executor.js~/.customize-agent/mcp.json~/.customize-agent/plugins.json
Decision evidence
public snapshotAI called this Suspicious at 91.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- `dist/builtins/shell-tools.js` exports `runBackground(command)`, which passes caller-supplied command text to `execaCommand` with `shell: true` and retains the child process in an in-memory background map.
- `dist/builtins/mcp-tools.js` accepts a caller-supplied command in `mcpAdd`, writes it to `~/.customize-agent/mcp.json`, and `mcpTools` later starts the configured command through the MCP stdio transport.
- `dist/builtins/shell-tools.js` writes plugin selections to `~/.customize-agent/plugins.json`; these are first-party application paths, but the capability is agent-facing and can configure future local command execution.
Evidence against
- `package.json` has no `preinstall`, `install`, `postinstall`, `prepare`, or uninstall lifecycle script, so npm installation does not trigger the shell or MCP functions.
- `dist/index.js` and `dist/builtins/index.js` only export tool classes; the inspected command, MCP, network, and filesystem actions require a host application to call their methods.
- No `eval`, `Function`, `vm`, detached subprocess, encoded-payload loader, credential collection, persistence hook, or hardcoded remote command/payload source was found in the inspected `dist` sources.
- `dist/network-tools.js` uses `duckduckgo.com` for explicit search requests and `registry.npmjs.org` for explicit version checks; its `webFetch` and `downloadFile` methods take a caller-provided URL and do not execute downloaded content.
- The base64 use in `dist/core/workspace-snapshot.js` serializes and restores workspace snapshot bytes; it is not an inert embedded payload or decoder chain.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcedist/builtins/shell-tools.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = @customize-agent/tools@1.0.2
matchedIdentity = npm:QGN1c3RvbWl6ZS1hZ2VudC90b29scw:1.0.2
similarity = 0.795
summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version.
dist/builtins/shell-tools.jsView on unpkgFindings
1 Critical2 Medium4 Low
CriticalPrevious Version Dangerous Deltadist/builtins/shell-tools.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings