AI Security Review
scanned 4d ago · by lpm-firewall-aiNo confirmed malicious install-time or import-time behavior was found. The package exposes a developer CLI that can write project config/docs, run git/package-manager commands, import local project modules, and download templates only through explicit CLI commands.
Decision evidence
public snapshot- package.json has no npm lifecycle hooks; bin only spawns node on dist/index.js or source fallback.
- bin/smrt.js child_process use is a CLI wrapper forwarding user arguments to this package entrypoint.
- dist/index.js lazy-loads command bundle and imports consumer project entry/.smrt/register.js only during CLI class discovery.
- dist/commands-BS3AEVpd.js docs:agents/docs:claude writes .agents or .claude output only when explicitly invoked, with dry-run support.
- dist/commands-BS3AEVpd.js template network access is user-invoked git template download limited to GitHub/GitLab/Bitbucket HTTPS with redirect validation.
- Runtime package-manager/git/vitest spawns are tied to explicit scaffold, git:init, playground, or diagnostic commands, not install/import time.
Source & flagged code
5 flagged · loading sourceThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/commands-BS3AEVpd.jsView on unpkgPackage source invokes a package manager install command at runtime.
dist/commands-BS3AEVpd.jsView on unpkg · L3648Package source references dynamic require/import behavior.
dist/commands-BS3AEVpd.jsView on unpkg · L121