AI Security Review
scanned 13d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a user-invoked local AI context/MCP tool that modifies project Claude settings and runs localhost services as documented.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs bin command such as syn .
Impact
Project-local context files and Claude hook configuration are created or updated; no credential harvesting or exfiltration found.
Mechanism
documented local MCP server, dashboard, project graph files, and Claude hook installation
Rationale
Static inspection found high-privilege AI-agent integration behavior, but it is explicit, documented, user-invoked, and scoped to local project/MCP functionality. No install-time execution, credential collection, destructive behavior, persistence beyond configured project hooks, or remote exfiltration endpoint was found.
Evidence
package.jsonbin/syndist/cli/index.jsdist/server/index.jsREADME.md.synthra/.synthra-graph/.claude/settings.local.json.claude/hooks/synthra-*CLAUDE.md.gitignore.mcp.json~/.synthra/projects.json~/.synthra/last-seen-version.json
Network endpoints6
registry.npmjs.org/@jefuriiij%2Fsynthra/latest127.0.0.1:<port>/mcp127.0.0.1:<port>/gate127.0.0.1:<port>/prime127.0.0.1:<port>/route127.0.0.1:<port>/log
Decision evidence
public snapshotAI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
- dist/cli/index.js installs Claude Code hooks and edits .claude/settings.local.json when user runs syn .
- dist/cli/index.js contacts https://registry.npmjs.org/@jefuriiij%2Fsynthra/latest for update checks unless SYN_NO_UPDATE_CHECK=1
- dist/cli/index.js can spawn npm install -g @jefuriiij/synthra@latest only after interactive confirmation
Evidence against
- package.json has no install/preinstall/postinstall lifecycle scripts
- bin/syn only imports dist/cli/index.js and runs main on CLI invocation, not package import
- Hook and MCP writes are documented in README.md and tied to explicit syn . setup/remove flows
- Local servers bind to 127.0.0.1 and hooks call local /gate, /prime, /route, /log endpoints
- Secrets in MCP configs are intentionally redacted in dashboard arsenal scanning
- Trojan-source hint is a BOM-tolerant regex in parseFrontmatter, not hidden control-flow code
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/server/index.jsView file
3036contains invisible/control Unicode U+FEFF (zero width no-break space)
const m = md.match(/^<U+FEFF>?\s*---\r?\n([\s\S]*?)\r?\n---/);
Critical
Trojan Source Unicode
Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
dist/server/index.jsView on unpkg · L303664};
L65: var activeLevel = process.env.SYN_LOG_LEVEL ?? "info";
L66: function shouldLog(level) {
...
L70: if (!shouldLog(level)) return;
L71: const stream = level === "error" || level === "warn" ? process.stderr : process.stdout;
L72: stream.write(`[syn] ${msg}${args.length ? " " + args.map(String).join(" ") : ""}
L73: `);
...
L165: // src/activity/git-watcher.ts
L166: import { execFile } from "child_process";
L167: import { watch } from "fs";
...
L1553: const raw = await readFile4(path, "utf8");
L1554: const parsed = JSON.parse(raw);
Low
Weak Crypto
Package source references weak cryptographic algorithms.
dist/server/index.jsView on unpkg · L64Findings
1 Critical3 Medium5 Low
CriticalTrojan Source Unicodedist/server/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/server/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings