AI Security Review
scanned 13d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is an AI coding assistant context tool that, when explicitly run, installs local Claude hooks, starts localhost services, and records project context/logs.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs syn . or related CLI commands
Impact
Local project files and Claude settings may be modified as documented; no unconsented install-time execution or external exfiltration confirmed.
Mechanism
user-invoked local context server and Claude Code hook integration
Rationale
Static inspection shows powerful AI-agent integration, but it is activated by documented CLI commands and uses localhost endpoints plus explicit Claude hook/MCP registration. No lifecycle execution, hidden payload, credential theft, destructive behavior, or external exfiltration was confirmed.
Evidence
package.jsonbin/syndist/cli/index.jsdist/server/index.jsREADME.md.claude/settings.local.json.claude/hooks/synthra-prime.{ps1,sh}.claude/hooks/synthra-pre-tool-use.{ps1,sh}.claude/hooks/synthra-pre-compact.{ps1,sh}.claude/hooks/synthra-stop.{ps1,sh}.synthra-graph/CLAUDE.md.gitignore.mcp.json~/.synthra/last-seen-version.json
Network endpoints6
127.0.0.1:<port>/prime127.0.0.1:<port>/gate127.0.0.1:<port>/log127.0.0.1:<port>/context-update127.0.0.1:<port>/mcpregistry.npmjs.org/@jefuriiij%2Fsynthra/latest
Decision evidence
public snapshotAI called this Clean at 88.0% confidence as Benign with medium false-positive risk.
Evidence for block
- dist/cli/index.js writes Claude Code hooks/settings and CLAUDE.md policy during user-invoked syn .
- dist/cli/index.js can fetch https://registry.npmjs.org/@jefuriiij%2Fsynthra/latest and optionally spawn npm install -g after TTY confirmation
- dist/cli/index.js registers a localhost MCP server with claude mcp add --scope project
Evidence against
- package.json has no install/preinstall/postinstall/prepare lifecycle hooks
- bin/syn only imports dist/cli/index.js and runs main on CLI invocation
- Hook scripts call only 127.0.0.1:$PORT Synthra endpoints for prime/gate/log/context-update
- Self-update path prompts in TTY and only logs instructions in non-TTY; SYN_NO_UPDATE_CHECK disables fetch
- Unicode scanner hit is a leading BOM-tolerant regex in parseFrontmatter, not bidi control-flow obfuscation
- No credential harvesting or external exfiltration found in inspected entrypoints
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/server/index.jsView file
64};
L65: var activeLevel = process.env.SYN_LOG_LEVEL ?? "info";
L66: function shouldLog(level) {
...
L70: if (!shouldLog(level)) return;
L71: const stream = level === "error" || level === "warn" ? process.stderr : process.stdout;
L72: stream.write(`[syn] ${msg}${args.length ? " " + args.map(String).join(" ") : ""}
L73: `);
...
L165: // src/activity/git-watcher.ts
L166: import { execFile } from "child_process";
L167: import { watch } from "fs";
...
L1553: const raw = await readFile4(path, "utf8");
L1554: const parsed = JSON.parse(raw);
Low
Weak Crypto
Package source references weak cryptographic algorithms.
dist/server/index.jsView on unpkg · L64dist/cli/index.jsView file
196contains invisible/control Unicode U+FEFF (zero width no-break space)
const m = md.match(/^<U+FEFF>?\s*---\r?\n([\s\S]*?)\r?\n---/);
Critical
Trojan Source Unicode
Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
dist/cli/index.jsView on unpkg · L196Findings
1 Critical3 Medium5 Low
CriticalTrojan Source Unicodedist/cli/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/server/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings