AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Decision evidence
public snapshot- `dist/commands-DOYdmiAx.js` implements `docs:agents` and `docs:claude`, explicitly writing `.agents/smrt-framework.md` or `.claude/smrt-framework.md`.
- `dist/commands-DOYdmiAx.js` downloads a user-selected git template over HTTPS and dynamically imports its `template.config.js`/`.ts`, which executes template code during `smrt gnode create`.
- `dist/commands-DOYdmiAx.js` runs validated base-generator commands only after the explicit `smrt gnode create` command.
- `package.json` has no `preinstall`, `install`, `postinstall`, or other lifecycle hook.
- `bin/smrt.js` only launches the packaged CLI after a user invokes the `smrt` binary.
- No `eval`, `Function`, VM, native-module loading, credential harvesting, or outbound exfiltration path was found.
- Network access is limited to explicit git-template downloads with HTTPS-only trusted-host redirect checks.
- Agent-context writes are explicit CLI commands with a dry-run option, not install-time mutation.
Source & flagged code
5 flagged · loading sourceThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/commands-DOYdmiAx.jsView on unpkgPackage source invokes a package manager install command at runtime.
dist/commands-DOYdmiAx.jsView on unpkg · L3653Package source references dynamic require/import behavior.
dist/commands-DOYdmiAx.jsView on unpkg · L122