AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. Running the package's MCP `serve` entrypoint can mutate Claude user-level MCP configuration without a fresh confirmation. It replaces an existing Figma MCP entry and may add Figma and Playwright integrations.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Starting `@layoutdesign/context serve` as an MCP server.
Impact
Changes AI-agent control-surface configuration and may enable external MCP integrations.
Mechanism
Runtime auto-registration and replacement of user-scoped Claude MCP servers.
Rationale
No install-time malware or exfiltration chain is established, but `serve` has an unconsented user-level agent configuration mutation path. Flag as a warning for agent-extension lifecycle risk.
Evidence
package.jsondist/src/mcp/server.jsdist/src/cli/setup-utils.jsdist/src/cli/install.jsdist/src/install/live.js~/.claude.jsonClaude user-scoped MCP configuration
Network endpoints1
mcp.figma.com/mcp
Decision evidence
public snapshotAI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `dist/src/mcp/server.js` auto-runs setup on MCP server startup.
- `dist/src/cli/setup-utils.js` rewrites `~/.claude.json` when it finds a Figma stdio entry.
- `dist/src/cli/setup-utils.js` removes and adds user-scoped Figma MCP registrations.
- Startup can add a user-scoped Playwright MCP via `claude mcp add`.
Evidence against
- `package.json` has no preinstall, install, or postinstall hook.
- Agent configuration writes in `dist/src/cli/install.js` occur through explicit CLI install commands.
- Network use is feature-aligned: npm update checks, kit download, local preview, and Figma MCP.
- No credential harvesting, arbitrary remote payload execution, obfuscated code, or destructive filesystem behavior found.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading sourcedist/bin/cli.jsView file
23import { notifyIfUpdate } from "../src/update-check.js";
L24: const require = createRequire(import.meta.url);
L25: const pkg = require("../../package.json");
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/bin/cli.jsView on unpkg · L23assets/layout-swc-plugin-57.wasmView file
•path = assets/layout-swc-plugin-57.wasm
kind = wasm_module
sizeBytes = 848042
magicHex = [redacted]
Medium
dist/src/install/live.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = @layoutdesign/context@0.17.0
matchedIdentity = npm:QGxheW91dGRlc2lnbi9jb250ZXh0:0.17.0
similarity = 0.809
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/src/install/live.jsView on unpkgFindings
1 High5 Medium4 Low
HighPrevious Version Dangerous Deltadist/src/install/live.js
MediumDynamic Requiredist/bin/cli.js
MediumNetwork
MediumEnvironment Vars
MediumShips Wasm Moduleassets/layout-swc-plugin-57.wasm
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings