AI Security Review
scanned 3h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Decision evidence
public snapshot- `bin/derive.js` explicitly supports `derive skill add` and `derive brandprint pull` into `./.claude/skills/`.
- `src/skills.js` fetches versioned remote bundle files and recursively writes them beneath the selected skills directory.
- `src/runner.js` materializes remote skills into `<cwd>/.claude/skills/`, then starts `claude` with `--dangerously-skip-permissions`.
- `src/runner.js` can clone manifest-specified repositories with the host's existing Git credentials during explicit runner startup.
- `package.json` declares no `preinstall`, `install`, or `postinstall` hook.
- All extension materialization and runner execution require explicit `derive` subcommands.
- Network traffic is authenticated against configurable Derive server endpoints; no unrelated exfiltration endpoint appears.
- `src/publish.js` excludes `.env` and `.env.*` files from directory uploads.
- The scanner's Unicode finding is an optional BOM (`U+FEFF`) match in `src/skills.js`, not a bidi control-flow trick.
Source & flagged code
3 flagged · loading sourceSource writes installer persistence such as shell profile or service configuration.
src/runner.jsView on unpkg · L10Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
src/skills.jsView on unpkg · L20A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
src/skills.jsView on unpkg