AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.
Trigger
User runs `engrym init` with instruction setup, `engrym setup <tool>`, or `engrym mcp init`.
Impact
Can modify package-owned configuration and selected agent integration settings after an explicit command.
Mechanism
User-invoked MCP/agent configuration and scoped API-client setup.
Rationale
The package is not malicious by the inspected source, but its explicit AI-agent configuration capability merits a warning under the firewall policy. All observed mutations require a user-invoked command or interactive opt-in.
Evidence
package.jsonsrc/bin.tssrc/commands/instructions.tssrc/commands/mcp/setup.tssrc/runtime/update-check.tsdist/cli.mjs~/.engrym/config.yaml
Network endpoints2
api.engrym.comregistry.npmjs.org/@engrym/cli/latest
Decision evidence
public snapshotAI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `src/commands/mcp/setup.ts` explicitly accepts `setup <tool>` for Claude, Cursor, Gemini, and Codex registration.
- `src/commands/instructions.ts` can splice managed instruction blocks into project host-agent config files on explicit Auto/interactive choice.
- Bundled `dist/cli.mjs` includes a `claude mcp remove/add --scope user` registration path.
Evidence against
- `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
- `src/bin.ts` only invokes `main()` when the user runs the CLI.
- Agent-config writes are documented as explicit `init` flags, interactive choices, or `setup` commands; noninteractive default is a no-op.
- `src/runtime/update-check.ts` only contacts the npm registry with a 2-second, throttled, opt-out update check.
- No source evidence of credential harvesting, arbitrary exfiltration, eval/vm execution, destructive deletion, or hidden persistence.
Behavioral surface
ChildProcessDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
HighEntropyStringsUrlStrings
Oversized source lightweight scan
dist/cli.mjs4.27 MB file, sampled 256 KB
ChildProcessEvalUrlStringsraw.githubusercontent.com
Source & flagged code
2 flagged · loading sourcedist/cli.mjsView file
•path = dist/cli.mjs
kind = oversized_source_file
sizeBytes = 4475980
magicHex = [redacted]
High
Oversized Source File
Package contains source files above the static scanner size ceiling.
dist/cli.mjsView on unpkg•path = dist/cli.mjs
kind = oversized_cli_entrypoint
sizeBytes = 4475980
magicHex = [redacted]
Medium
Oversized Cli Entrypoint
Package contains an oversized executable-looking CLI entrypoint.
dist/cli.mjsView on unpkgFindings
1 High5 Medium5 Low
HighOversized Source Filedist/cli.mjs
MediumDynamic Require
MediumNetwork
MediumEnvironment Vars
MediumOversized Cli Entrypointdist/cli.mjs
MediumStructural Risk Force Deep Review
LowScripts Present
LowEval
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings