AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack surface is established. The package is a workflow orchestrator that explicitly sets up Cairn-owned Claude hooks/MCP/config and later runs user-selected executors and GitLab CLI commands.
Decision evidence
public snapshot- dist/index.js initCommand writes .claude/settings.json hooks for Stop and PreToolUse.
- dist/index.js initCommand creates .claude/skills/* and .claude/commands/cairn/*.md.
- dist/index.js initCommand writes .mcp.json registering cairn MCP server.
- dist/index.js run/code execute claude, codex, opencode, custom shell commands when user invokes CLI workflows.
- package.json has no preinstall/install/postinstall hooks; only prepublishOnly build/test.
- Agent control-surface mutation is behind explicit `cairn init`, not install/import time.
- Hooks are package-aligned: block writes to .cairn audit state and run deterministic gates.
- GitLab network access is via user-invoked glab CLI for issue/MR/pipeline workflow.
- No credential harvesting, hidden exfiltration, obfuscated payloads, or destructive install behavior found.
Source & flagged code
4 flagged · loading sourcedist/index.js initCommand writes .claude/settings.json hooks for Stop and PreToolUse.
dist/index.jsView on unpkgdist/index.js initCommand creates .claude/skills/* and .claude/commands/cairn/*.md.
dist/index.jsView on unpkgdist/index.js initCommand writes .mcp.json registering cairn MCP server.
dist/index.jsView on unpkgdist/index.js run/code execute claude, codex, opencode, custom shell commands when user invokes CLI workflows.
dist/index.jsView on unpkg