AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. Starting the package's MCP server can alter the user's global Claude MCP configuration. It replaces Figma registration and may register Playwright without an explicit remediation request.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Run `layout-context serve` or start the configured Layout MCP server.
Impact
Unconsented persistent user-scoped AI-agent extension changes and external MCP registration.
Mechanism
Runtime Claude MCP reconfiguration via `claude mcp` and `~/.claude.json` writes.
Rationale
This is not install-time malware, but the automatic global Claude MCP mutation on ordinary server startup is a concrete agent-extension lifecycle risk. Warn rather than block because setup behavior is product-aligned and no exfiltration, destructive action, or remote code-execution chain was found.
Evidence
package.jsondist/src/mcp/server.jsdist/src/cli/setup-utils.jsdist/src/cli/install.jsdist/src/update-check.js~/.claude.jsonClaude user-scoped MCP configuration
Network endpoints1
mcp.figma.com/mcp
Decision evidence
public snapshotAI called this Suspicious at 93.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- `dist/src/mcp/server.js` calls setup fixes during every `serve` startup.
- `dist/src/cli/setup-utils.js` rewrites `~/.claude.json` when it detects an old Figma MCP entry.
- `dist/src/cli/setup-utils.js` removes and adds user-scoped Claude MCP servers for Figma and Playwright.
- These mutations occur without a `fix` flag when the MCP server starts.
Evidence against
- `package.json` has no preinstall, install, or postinstall lifecycle hook.
- The CLI `install` command is explicitly user-invoked and project setup is package-aligned.
- No eval/vm/native loader or credential/environment harvesting was found.
- Network use is for npm update checks, Layout gallery downloads, localhost preview, and Figma MCP integration.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading sourcedist/bin/cli.jsView file
20import { notifyIfUpdate } from "../src/update-check.js";
L21: const require = createRequire(import.meta.url);
L22: const pkg = require("../../package.json");
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/bin/cli.jsView on unpkg · L20assets/layout-swc-plugin-57.wasmView file
•path = assets/layout-swc-plugin-57.wasm
kind = wasm_module
sizeBytes = 848042
magicHex = [redacted]
Medium
dist/src/cli/install.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = @layoutdesign/context@0.16.0
matchedIdentity = npm:QGxheW91dGRlc2lnbi9jb250ZXh0:0.16.0
similarity = 0.940
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/src/cli/install.jsView on unpkgFindings
1 High5 Medium4 Low
HighPrevious Version Dangerous Deltadist/src/cli/install.js
MediumDynamic Requiredist/bin/cli.js
MediumNetwork
MediumEnvironment Vars
MediumShips Wasm Moduleassets/layout-swc-plugin-57.wasm
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings