AI Security Review
scanned 13d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a project scaffolding and AI-assistant setup CLI with user-invoked writes and aligned GitHub API usage.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs lousy-agents CLI subcommands such as init-hooks, copilot-setup, new, or init.
Impact
Project files may be created or updated by requested CLI commands; no install-time execution or unconsented persistence found.
Mechanism
explicit project scaffolding and hook/workflow configuration
Rationale
Static inspection found AI-agent hook mutation and GitHub token/network primitives, but they are exposed through documented, user-invoked CLI commands and bounded to project setup behavior. There is no lifecycle execution, credential harvesting, hidden payload, or unconsented agent control-surface mutation.
Evidence
package.jsonREADME.mddist/index.jsdist/913.js.claude/settings.json.github/workflows/copilot-setup-steps.yml.npmrc.github/agents/<name>.md.github/skills/<name>/SKILL.md.lousy-agents/lessons/<slug>.md
Network endpoints2
api.github.comuploads.github.com
Decision evidence
public snapshotAI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no install/preinstall/postinstall lifecycle scripts; bin points to dist/index.js only.
- dist/index.js registers explicit CLI subcommands: init, lint, new, copilot-setup, context, init-hooks, capture, doctor.
- init-hooks writes .claude/settings.json only when user invokes the command, adding hooks that run lousy-agents context/capture.
- context/capture read Claude hook stdin and local .lousy-agents/lessons; they emit context/prompts, not shell commands or exfiltration.
- GitHub API/gh token use is limited to user-invoked copilot-setup ruleset management and repository detection.
- dist/913.js Unicode finding is JSON5/confbox dependency character tables, not hidden control-flow source.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetwork
HighEntropyStringsMinifiedObfuscatedUrlStrings
WildcardDependency
Oversized source lightweight scan
dist/index.js2.08 MB file, sampled 256 KB
FilesystemChildProcessEnvironmentVarsHighEntropyStringsUrlStringscaniuse.com
Source & flagged code
3 flagged · loading sourcedist/913.jsView file
21contains invisible/control Unicode U+FEFF (zero width no-break space)
`?(c++,l=0):e?l+=e.length:l++,e&&(s+=e.length),e}let S={default(){switch(v){case` `:case`\v`:case`\f`:case` `:case`\xA0`:case`<U+FEFF>`:case`
Critical
Trojan Source Unicode
Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
dist/913.jsView on unpkg · L21dist/index.jsView file
•path = dist/index.js
kind = oversized_source_file
sizeBytes = 2176711
magicHex = [redacted]
High
Oversized Source File
Package contains source files above the static scanner size ceiling.
dist/index.jsView on unpkg•path = dist/index.js
kind = oversized_cli_entrypoint
sizeBytes = 2176711
magicHex = [redacted]
Medium
Oversized Cli Entrypoint
Package contains an oversized executable-looking CLI entrypoint.
dist/index.jsView on unpkgFindings
1 Critical1 High5 Medium5 Low
CriticalTrojan Source Unicodedist/913.js
HighOversized Source Filedist/index.js
MediumNetwork
MediumEnvironment Vars
MediumOversized Cli Entrypointdist/index.js
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings