registry  /  @engrym/cli  /  1.5.0

@engrym/cli@1.5.0

Engrym CLI — terminal-native Commander.js wrapper over @engrym/sdk-ts plus the `mcp init` pass-through. See https://github.com/engrym for documentation.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
User runs `engrym init` with instruction setup, `engrym setup <tool>`, or `engrym mcp init`.
Impact
Can modify package-owned configuration and selected agent integration settings after an explicit command.
Mechanism
User-invoked MCP/agent configuration and scoped API-client setup.
Rationale
The package is not malicious by the inspected source, but its explicit AI-agent configuration capability merits a warning under the firewall policy. All observed mutations require a user-invoked command or interactive opt-in.
Evidence
package.jsonsrc/bin.tssrc/commands/instructions.tssrc/commands/mcp/setup.tssrc/runtime/update-check.tsdist/cli.mjs~/.engrym/config.yaml
Network endpoints2
api.engrym.comregistry.npmjs.org/@engrym/cli/latest

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `src/commands/mcp/setup.ts` explicitly accepts `setup <tool>` for Claude, Cursor, Gemini, and Codex registration.
  • `src/commands/instructions.ts` can splice managed instruction blocks into project host-agent config files on explicit Auto/interactive choice.
  • Bundled `dist/cli.mjs` includes a `claude mcp remove/add --scope user` registration path.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
  • `src/bin.ts` only invokes `main()` when the user runs the CLI.
  • Agent-config writes are documented as explicit `init` flags, interactive choices, or `setup` commands; noninteractive default is a no-op.
  • `src/runtime/update-check.ts` only contacts the npm registry with a 2-second, throttled, opt-out update check.
  • No source evidence of credential harvesting, arbitrary exfiltration, eval/vm execution, destructive deletion, or hidden persistence.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 122 file(s), 965 KB of source, external domains: api.engrym.com, raw.githubusercontent.com, registry.npmjs.org
Oversized source lightweight scan
dist/cli.mjs4.27 MB file, sampled 256 KB
ChildProcessEvalUrlStringsraw.githubusercontent.com

Source & flagged code

2 flagged · loading source
dist/cli.mjsView file
path = dist/cli.mjs kind = oversized_source_file sizeBytes = 4475980 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/cli.mjsView on unpkg
path = dist/cli.mjs kind = oversized_cli_entrypoint sizeBytes = 4475980 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

dist/cli.mjsView on unpkg

Findings

1 High5 Medium5 Low
HighOversized Source Filedist/cli.mjs
MediumDynamic Require
MediumNetwork
MediumEnvironment Vars
MediumOversized Cli Entrypointdist/cli.mjs
MediumStructural Risk Force Deep Review
LowScripts Present
LowEval
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings