AI Security Review
scanned 2d ago · by lpm-firewall-aiNo confirmed malicious attack surface; risky primitives are tied to the package's explicit AI environment setup purpose. The main residual risk is user-invoked remote rules/tool installation affecting agent configuration.
Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs profile init, sync, or up CLI commands.
Impact
Writes AGENTS.md, removes documented legacy profile files, and installs/configures external tools when requested.
Mechanism
user-invoked AI environment setup and AGENTS.md generation
Rationale
Static inspection shows dangerous primitives, but they are explicit CLI behavior for a personal AI coding environment setup package and are documented rather than hidden install/import-time behavior. No concrete credential theft, exfiltration, persistence, or unconsented lifecycle agent-control mutation was found.
Evidence
package.jsonbin/profile.jssrc/cli.jssrc/commands/init.jssrc/commands/sync.jssrc/commands/up.jssrc/tools.jssrc/fs.jsREADME.mdAGENTS.md.github/copilot-instructions.md.github/profile.manifest.json.github/instructions.github/skills
Network endpoints4
raw.githubusercontent.com/DietrichGebert/ponytail/main/AGENTS.mdgithub:JuliusBrussee/cavemannpm registry for opencode/rtkPyPI for graphifyy
Decision evidence
public snapshotAI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
- src/commands/sync.js fetches remote Ponytail rules from raw.githubusercontent.com and writes them into AGENTS.md.
- src/tools.js runs user-invoked installers: npx GitHub caveman, npm install -g rtk, pip install graphifyy, and OpenCode hooks.
- src/fs.js removes legacy .github agent/profile files during sync.
Evidence against
- package.json has no install/postinstall hook; prepublishOnly is publisher-side test/version check only.
- bin/profile.js only dispatches explicit CLI commands init/sync/up.
- README.md documents OpenCode setup, AGENTS.md generation, legacy cleanup, and tool installation.
- No credential harvesting, env dumping, destructive broad filesystem traversal, or exfiltration code found.
- Network activity is limited to documented tool installation and one rules fetch for generated AGENTS.md.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
3 flagged · loading sourcesrc/tools.jsView file
1import { execSync } from 'node:child_process'
L2: import os from 'node:os'
High
src/commands/init.jsView file
25console.log(`\n → Installing OpenCode...`)
L26: const npm = await import('node:child_process')
L27: npm.execSync('npm install -g opencode', { encoding: 'utf8', stdio: 'inherit', timeout: 120000 })
L28: }
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
src/commands/init.jsView on unpkg · L25src/env.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = @erminhhho/profile@0.2.0
matchedIdentity = npm:QGVybWluaGhoby9wcm9maWxl:0.2.0
similarity = 0.400
summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
src/env.jsView on unpkgFindings
1 Critical3 High3 Medium6 Low
CriticalPrevious Version Dangerous Deltasrc/env.js
HighChild Processsrc/tools.js
HighShell
HighRuntime Package Installsrc/commands/init.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License