AI Security Review
scanned 3h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. Install-time code bootstraps first-party MAMA templates in ~/.mama. A user-started runtime can create an isolated Codex home, copy existing Codex authentication into it, and invoke an approval-free agent/MCP execution path. No confirmed external exfiltration or foreign-agent configuration mutation was found.
Decision evidence
public snapshot- package.json runs scripts/postinstall.js automatically on install.
- scripts/postinstall.js creates ~/.mama and copies package skill/workspace templates without prompting.
- scripts/postinstall.js invokes `claude auth status` and checks ~/.claude/.credentials.json existence.
- dist/agent/codex-mcp-process.js copies ~/.codex/auth.json into ~/.mama/.codex/auth.json when the Codex-backed agent starts.
- dist/agent/codex-home.js writes an isolated Codex config with approval_policy="never"; dist/mcp/code-act-server.js exposes JavaScript execution through a local MCP tool.
- Postinstall writes only package-owned ~/.mama paths; it does not write ~/.claude or ~/.codex.
- Postinstall contains no network request primitive; its URLs are printed documentation/login strings.
- Credential handling is local copying into a mode-0600 MAMA-specific home, with no package-source exfiltration path found.
- The code-act MCP proxy targets only 127.0.0.1:3847 and is activated by a user-run executable/runtime flow.
- CLI entrypoints require explicit commands for setup, start, or run; importing dist/index.js only re-exports modules.
Source & flagged code
11 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgPackage source references child process execution.
dist/connectors/calendar/index.jsView on unpkg · L3Package source references a known benign dynamic code generation pattern.
dist/multi-agent/bmad-templates.jsView on unpkg · L232Package source references dynamic require/import behavior.
dist/connectors/claude-code/index.jsView on unpkg · L11Source writes installer persistence such as shell profile or service configuration.
scripts/generate-gateway-tools.tsView on unpkg · L46A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/cli/runtime/utilities.jsView on unpkg · L62Install-time source drops package-supplied AI-agent/MCP control files or instructions.
scripts/postinstall.jsView on unpkg · L1Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
dist/cli/runtime/api-routes-init.jsView on unpkg · L50This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/agent/codex-mcp-process.jsView on unpkg