registry  /  @jh-cairn/cairn  /  0.1.16

@jh-cairn/cairn@0.1.16

Project-level state machine, gates, context directory, and auditable workflow orchestrator for Claude Code / Codex

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack surface is established. The package is a workflow orchestrator that explicitly sets up Cairn-owned Claude hooks/MCP/config and later runs user-selected executors and GitLab CLI commands.

Static reason
No blocking static signals were detected.
Trigger
User runs `cairn init`, `cairn code`, `cairn run`, `cairn gate`, or GitLab sync/task commands.
Impact
Modifies project workflow files and may invoke local AI/GitLab tools under user command.
Mechanism
explicit CLI workflow setup and orchestration
Rationale
Source inspection shows explicit user-command setup of a first-party agent workflow surface, including Claude hooks and MCP registration, but no install-time mutation or concrete malicious chain. This matches a warn-level agent extension lifecycle risk rather than a publish block.
Evidence
package.jsondist/index.jsREADME.md.cairn/CLAUDE.mdAGENTS.md.claude/settings.json.claude/skills/*/SKILL.md.claude/commands/cairn/*.md.mcp.json.gitignore.gitattributesopenspec/docs/issues/
Network endpoints2
jihulab.com/gitlab-cn/technical-writing/cairn.gitgitlab.com/gitlab-org/cli

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/index.js initCommand writes .claude/settings.json hooks for Stop and PreToolUse.
  • dist/index.js initCommand creates .claude/skills/* and .claude/commands/cairn/*.md.
  • dist/index.js initCommand writes .mcp.json registering cairn MCP server.
  • dist/index.js run/code execute claude, codex, opencode, custom shell commands when user invokes CLI workflows.
Evidence against
  • package.json has no preinstall/install/postinstall hooks; only prepublishOnly build/test.
  • Agent control-surface mutation is behind explicit `cairn init`, not install/import time.
  • Hooks are package-aligned: block writes to .cairn audit state and run deterministic gates.
  • GitLab network access is via user-invoked glab CLI for issue/MR/pipeline workflow.
  • No credential harvesting, hidden exfiltration, obfuscated payloads, or destructive install behavior found.
Behavioral surface
Source
CryptoEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 105 KB of source, external domains: gitlab.com

Source & flagged code

4 flagged · loading source
dist/index.jsView file
Published source reference
Medium
Ai Review Evidence

dist/index.js initCommand writes .claude/settings.json hooks for Stop and PreToolUse.

dist/index.jsView on unpkg
Published source reference
Medium
Ai Review Evidence

dist/index.js initCommand creates .claude/skills/* and .claude/commands/cairn/*.md.

dist/index.jsView on unpkg
Published source reference
Medium
Ai Review Evidence

dist/index.js initCommand writes .mcp.json registering cairn MCP server.

dist/index.jsView on unpkg
Published source reference
Medium
Ai Review Evidence

dist/index.js run/code execute claude, codex, opencode, custom shell commands when user invokes CLI workflows.

dist/index.jsView on unpkg

Findings

5 Medium5 Low
MediumEnvironment Vars
MediumAi Review Evidencedist/index.js
MediumAi Review Evidencedist/index.js
MediumAi Review Evidencedist/index.js
MediumAi Review Evidencedist/index.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings