AI Security Review
scanned 3h ago · by lpm-firewall-aiLPM blocks this version under the AI-agent control-surface policy. Installation mutates AI-agent instruction/control files in the consuming project. With no detected agent, it writes all supported agent stubs by default.
Decision evidence
public snapshot- `package.json` runs `node postinstall.js` on installation.
- `postinstall.js` runs for consumer installs and targets `INIT_CWD` or the consuming project root.
- `postinstall/detect-agent.js` defaults to `all` when no agent signal exists.
- `postinstall.js` writes/merges `AGENTS.md`, `CLAUDE.md`, and `.cursorrules` in that project.
- `postinstall/agent-stubs.js` installs package-controlled AI-agent instructions referencing its templates.
- Postinstall source shows no network request or credential harvesting.
- The SDK runtime endpoints are survey API calls, not part of the install-time mutation chain.
- CLI shell/package-manager actions are behind explicit CLI commands.
Source & flagged code
12 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgA single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/cli/index.jsView on unpkg · L1Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
dist/cli/index.jsView on unpkg · L1Package source invokes a package manager install command at runtime.
dist/cli/index.jsView on unpkg · L1Source file is highly similar to a previously finalized malicious package; route for source-aware review.
dist/cli/index.jsView on unpkgSource fingerprint signature matches a known malicious package signature; route for source-aware review.
dist/cli/index.jsView on unpkgInstall-time source drops package-supplied AI-agent/MCP control files or instructions.
postinstall.jsView on unpkg · L24Package ships non-JavaScript build or shell helper files.
templates/docs/survey-ui/verify-agent-build.shView on unpkgSource file is highly similar to a previously finalized malicious package; route for source-aware review.
dist/cli/index.mjsView on unpkgSource file is highly similar to a previously finalized malicious package; route for source-aware review.
dist/index.jsView on unpkg