AI Security Review
scanned 13d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The sensitive behavior is an explicit AI-context CLI bootstrap that installs local Claude hooks and MCP registration, matching the package description rather than install-time compromise.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs syn/synthra CLI default flow or related commands.
Impact
Creates local Synthra graph/context files and Claude integration files; can influence Claude workflow while Synthra is enabled.
Mechanism
Local project scanner, localhost MCP/dashboard server, Claude hook registration, and npm registry update check.
Rationale
Static inspection found risky AI-agent integration primitives, but they are user-invoked, documented by the package purpose, local-only except for an npm update check, and include cleanup paths. No install-time execution, credential harvesting, destructive payload, persistence outside the stated integration, or exfiltration was found.
Evidence
package.jsonbin/syndist/cli/index.jsdist/server/index.js.synthra-graph/.synthra/CLAUDE.md.claude/settings.local.json.claude/hooks/synthra-*.mcp.json.gitignore~/.synthra/last-seen-version.json
Network endpoints6
127.0.0.1:<port>/mcp127.0.0.1:<port>/gate127.0.0.1:<port>/route127.0.0.1:<port>/log127.0.0.1:<port>/context-updateregistry.npmjs.org/%40jefuriiij%2Fsynthra/latest
Decision evidence
public snapshotAI called this Clean at 84.0% confidence as Benign with medium false-positive risk.
Evidence for block
- User-invoked default CLI flow writes CLAUDE.md policy text, .claude/hooks/synthra-* and .claude/settings.local.json in dist/cli/index.js.
- Hooks can block/route Claude tool and prompt events by posting to localhost /gate, /route, /log, and /context-update.
- CLI performs an update check to https://registry.npmjs.org/%40jefuriiij%2Fsynthra/latest unless SYN_NO_UPDATE_CHECK=1.
Evidence against
- package.json has no install/preinstall/postinstall lifecycle hooks; execution is via bin/syn.
- bin/syn only imports dist/cli/index.js and calls main(process.argv).
- Network use is localhost MCP/dashboard plus npm registry update check; no credential exfiltration endpoint found.
- Filesystem writes are package-aligned project state/integration files with remove cleanup logic in dist/cli/index.js.
- Trojan-source hint is an optional BOM character in a frontmatter regex, not bidi control flow hiding.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/server/index.jsView file
3036contains invisible/control Unicode U+FEFF (zero width no-break space)
const m = md.match(/^<U+FEFF>?\s*---\r?\n([\s\S]*?)\r?\n---/);
Critical
Trojan Source Unicode
Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
dist/server/index.jsView on unpkg · L303664};
L65: var activeLevel = process.env.SYN_LOG_LEVEL ?? "info";
L66: function shouldLog(level) {
...
L70: if (!shouldLog(level)) return;
L71: const stream = level === "error" || level === "warn" ? process.stderr : process.stdout;
L72: stream.write(`[syn] ${msg}${args.length ? " " + args.map(String).join(" ") : ""}
L73: `);
...
L165: // src/activity/git-watcher.ts
L166: import { execFile } from "child_process";
L167: import { watch } from "fs";
...
L1553: const raw = await readFile4(path, "utf8");
L1554: const parsed = JSON.parse(raw);
Low
Weak Crypto
Package source references weak cryptographic algorithms.
dist/server/index.jsView on unpkg · L64Findings
1 Critical3 Medium5 Low
CriticalTrojan Source Unicodedist/server/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/server/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings