AI Security Review
scanned 13d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is an AI development scaffolding CLI that can modify project agent configuration only when a user runs its commands.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs lousy-agents CLI subcommands such as init, new, copilot-setup, init-hooks, context, capture, lint, or doctor.
Impact
Creates or updates project files for Copilot/Claude workflows and optional GitHub rulesets; no install-time or covert behavior confirmed.
Mechanism
user-invoked project scaffolding and configuration
Rationale
Static source inspection shows a legitimate, user-invoked scaffolding and AI-agent configuration CLI with no lifecycle execution or covert exfiltration. Risky primitives are aligned with documented commands and guarded by prompts/path checks where relevant.
Evidence
package.jsondist/index.jsdist/913.jsapi/copilot-with-fastify/.vscode/mcp.jsoncli/copilot-with-citty/.vscode/mcp.jsonui/copilot-with-react/.vscode/mcp.json.claude/settings.json.github/copilot-instructions.md.github/instructions/*.md.github/workflows/copilot-setup-steps.yml.github/workflows/assign-copilot.yml.vscode/mcp.json.npmrc
Network endpoints2
api.github.comgithub.com
Decision evidence
public snapshotAI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
- CLI can write AI-agent control files on explicit commands: .claude/settings.json hooks, .github/copilot-instructions.md, .vscode/mcp.json.
- copilot-setup can use GH_TOKEN/GITHUB_TOKEN or gh auth token to call GitHub ruleset APIs after user prompt.
- copilot-setup may add script-shell=agent-shell to .npmrc only after confirmation.
Evidence against
- package.json has no install/preinstall/postinstall lifecycle scripts; bin points to dist/index.js only.
- dist/index.js writes occur from explicit CLI commands such as init, new, copilot-setup, and init-hooks, not import/install time.
- Claude hook writes are package-aligned context/capture commands, scoped to .claude/settings.json, with symlink and safe path checks.
- Network use is Octokit/GitHub ruleset management and documented scaffold URLs, not arbitrary exfiltration endpoints.
- dist/913.js Unicode hint did not reveal bidi/invisible controls in direct scan; matches appear from bundled emoji/Unicode regex data.
- No source evidence of credential harvesting, destructive behavior, persistence outside configured project files, or hidden payload loading.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetwork
HighEntropyStringsMinifiedObfuscatedUrlStrings
WildcardDependency
Oversized source lightweight scan
dist/index.js2.08 MB file, sampled 256 KB
FilesystemChildProcessEnvironmentVarsHighEntropyStringsUrlStringscaniuse.com
Source & flagged code
3 flagged · loading sourcedist/913.jsView file
21contains invisible/control Unicode U+FEFF (zero width no-break space)
`?(c++,l=0):e?l+=e.length:l++,e&&(s+=e.length),e}let S={default(){switch(v){case` `:case`\v`:case`\f`:case` `:case`\xA0`:case`<U+FEFF>`:case`
Critical
Trojan Source Unicode
Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
dist/913.jsView on unpkg · L21dist/index.jsView file
•path = dist/index.js
kind = oversized_source_file
sizeBytes = 2183827
magicHex = [redacted]
High
Oversized Source File
Package contains source files above the static scanner size ceiling.
dist/index.jsView on unpkg•path = dist/index.js
kind = oversized_cli_entrypoint
sizeBytes = 2183827
magicHex = [redacted]
Medium
Oversized Cli Entrypoint
Package contains an oversized executable-looking CLI entrypoint.
dist/index.jsView on unpkgFindings
1 Critical1 High5 Medium5 Low
CriticalTrojan Source Unicodedist/913.js
HighOversized Source Filedist/index.js
MediumNetwork
MediumEnvironment Vars
MediumOversized Cli Entrypointdist/index.js
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings