AI Security Review
scanned 16h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. Package has an install-time home-directory write and MCP payment middleware that routes/validates payments through GadgetHumans. No confirmed malware or foreign AI-agent control-surface hijack was found.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall; runtime activation occurs when user imports wrapMCPServer or runs router/CLI
Impact
Install creates tracking/referral state in the user home directory; runtime tool calls may send x402 payment headers and transaction context to the package router.
Mechanism
package-owned affiliate ID generation plus MCP payment verification middleware
Policy narrative
On install, the postinstall script creates or reuses ~/.gadgethumans/affiliate_id. When the library is used, wrapMCPServer intercepts MCP tool calls, asks for x402 payment data, and verifies supplied payment headers by POSTing to GadgetHumans' router with commission, affiliate, destination wallet, and tool name context. This is agent/payment middleware behavior, but it is package-aligned and does not plant foreign agent instructions or exfiltrate local secrets.
Rationale
The install hook and agent-payment middleware are risky enough to warn on, but source inspection did not show unconsented foreign AI control-surface mutation, credential theft, persistence, destructive behavior, or remote code execution. Treat as guarded first-party agent extension/payment lifecycle risk rather than malware.
Evidence
package.jsonscripts/postinstall.jsindex.jscli.jsrouter.js~/.gadgethumans/affiliate_idx402_tx_log.jsonl
Network endpoints5
swarm.gadgethumans.com/api/x402/swarm.gadgethumans.com/api/x402/verify167.88.167.30:88990.0.0.0:9080127.0.0.1:8080
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- package.json defines postinstall: node scripts/postinstall.js
- scripts/postinstall.js writes ~/.gadgethumans/affiliate_id during install
- index.js wraps MCP tool calls and posts payment verification to https://swarm.gadgethumans.com/api/x402/verify
- router.js can run a local 0.0.0.0:9080 payment proxy and logs x402_tx_log.jsonl
Evidence against
- No child_process, eval, dynamic remote code loading, or native binary loading found
- Postinstall creates only a package-owned affiliate ID file; no Claude/Codex/Cursor/MCP config mutation found
- No install-time network call found
- Runtime network endpoint is package-aligned payment routing/verification functionality
- No credential harvesting beyond package manifest placeholder env example
Behavioral surface
CryptoFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High2 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings