registry  /  @layoutdesign/context  /  0.19.0

@layoutdesign/context@0.19.0

Design system context for AI coding agents — MCP server + CLI + live preview

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Running the package's MCP `serve` entrypoint can mutate Claude user-level MCP configuration without a fresh confirmation. It replaces an existing Figma MCP entry and may add Figma and Playwright integrations.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Starting `@layoutdesign/context serve` as an MCP server.
Impact
Changes AI-agent control-surface configuration and may enable external MCP integrations.
Mechanism
Runtime auto-registration and replacement of user-scoped Claude MCP servers.
Rationale
No install-time malware or exfiltration chain is established, but `serve` has an unconsented user-level agent configuration mutation path. Flag as a warning for agent-extension lifecycle risk.
Evidence
package.jsondist/src/mcp/server.jsdist/src/cli/setup-utils.jsdist/src/cli/install.jsdist/src/install/live.js~/.claude.jsonClaude user-scoped MCP configuration
Network endpoints1
mcp.figma.com/mcp

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/src/mcp/server.js` auto-runs setup on MCP server startup.
  • `dist/src/cli/setup-utils.js` rewrites `~/.claude.json` when it finds a Figma stdio entry.
  • `dist/src/cli/setup-utils.js` removes and adds user-scoped Figma MCP registrations.
  • Startup can add a user-scoped Playwright MCP via `claude mcp add`.
Evidence against
  • `package.json` has no preinstall, install, or postinstall hook.
  • Agent configuration writes in `dist/src/cli/install.js` occur through explicit CLI install commands.
  • Network use is feature-aligned: npm update checks, kit download, local preview, and Figma MCP.
  • No credential harvesting, arbitrary remote payload execution, obfuscated code, or destructive filesystem behavior found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 81 file(s), 440 KB of source, external domains: cdn.tailwindcss.com, docs.anthropic.com, layout.design, mcp.figma.com, nodejs.org, registry.npmjs.org, ui.shadcn.com, ui.staging.layout.design, unpkg.com, www.figma.com

Source & flagged code

3 flagged · loading source
dist/bin/cli.jsView file
23import { notifyIfUpdate } from "../src/update-check.js"; L24: const require = createRequire(import.meta.url); L25: const pkg = require("../../package.json");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/bin/cli.jsView on unpkg · L23
assets/layout-swc-plugin-57.wasmView file
path = assets/layout-swc-plugin-57.wasm kind = wasm_module sizeBytes = 848042 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

assets/layout-swc-plugin-57.wasmView on unpkg
dist/src/install/live.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @layoutdesign/context@0.17.0 matchedIdentity = npm:QGxheW91dGRlc2lnbi9jb250ZXh0:0.17.0 similarity = 0.809 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/src/install/live.jsView on unpkg

Findings

1 High5 Medium4 Low
HighPrevious Version Dangerous Deltadist/src/install/live.js
MediumDynamic Requiredist/bin/cli.js
MediumNetwork
MediumEnvironment Vars
MediumShips Wasm Moduleassets/layout-swc-plugin-57.wasm
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings