AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious attack surface. This is a user-invoked CLI for scaffolding roster workspaces and installing first-party skills/agents into AI tool config directories.
Decision evidence
public snapshot- CLI can write AI tool skills/agents under Claude, Codex, and Gemini config roots on user command.
- bin/tripwire-hook.js contains scanner logic for risky prompt text, including secret-egress patterns.
- package.json has no preinstall/install/postinstall lifecycle hooks.
- bin/roster.js network strings are help/repository/install URLs; no outbound request flow found.
- process.env usage is limited to ROSTER_* home overrides/config, not credential harvesting.
- child_process use appears in explicit CLI flows such as git init, probes, and script execution.
- Writes are package-aligned scaffolding/config operations guarded by commands, prompts, force flags, and path checks.
Source & flagged code
7 flagged · loading sourceSource appears to send environment or credential material to an external endpoint.
bin/roster.jsView on unpkg · L11A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
bin/roster.jsView on unpkg · L11Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
bin/roster.jsView on unpkg · L5224Source writes installer persistence such as shell profile or service configuration.
bin/roster.jsView on unpkg · L11Package ships non-JavaScript build or shell helper files.
templates/hooks/banner.shView on unpkg