AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM blocks this version under the AI-agent control-surface policy. Installation mutates the consuming project's AI-agent instruction/control files without an explicit setup command. When no agent is detected, it writes stubs for all supported agent surfaces.
Decision evidence
public snapshot- `package.json` invokes `node postinstall.js` on install.
- `postinstall.js` targets `INIT_CWD` or the consuming project root.
- It writes/merges project-root `AGENTS.md` and `.cursorrules`; default detection writes all stubs.
- It writes `CLAUDE.md` when absent or containing `@AGENTS.md`.
- `postinstall/detect-agent.js` fingerprints Codex, Claude, Cursor, and Antigravity environment signals.
- Postinstall performs no network request, shell execution, or credential harvesting.
- Written stubs point to the installed package's survey-agent documentation and use explicit markers.
- CLI network, deployment, and shell actions require explicit `cfm-sdk` commands.
Source & flagged code
8 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgA single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/cli/index.jsView on unpkg · L1Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
dist/cli/index.jsView on unpkg · L1Package source invokes a package manager install command at runtime.
dist/cli/index.jsView on unpkg · L1Install-time source drops package-supplied AI-agent/MCP control files or instructions.
postinstall.jsView on unpkg · L24Package ships non-JavaScript build or shell helper files.
templates/docs/survey-ui/verify-agent-build.shView on unpkg