AI Security Review
scanned 13d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The risky primitives are package-aligned scaffolding, optional GitHub ruleset management, and explicit AI-assistant hook setup.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs commands such as lousy-agents init, new, copilot-setup, or init-hooks.
Impact
Creates or updates project templates, Copilot workflow/ruleset configuration, optional .npmrc script-shell entry, or Claude hook settings when requested.
Mechanism
user-invoked project scaffolding and assistant configuration
Rationale
Static inspection shows a legitimate scaffolding CLI with user-invoked writes and optional GitHub API use, not install-time execution, credential harvesting, exfiltration, persistence, or hidden AI-agent control mutation. Scanner hits are explained by bundled dependencies, templates/tests, repository URLs, and package-aligned assistant setup features.
Evidence
package.jsonREADME.mddist/index.jsdist/913.jsapi/copilot-with-fastify/src/app.integration.ts.github/copilot-instructions.md.github/workflows/copilot-setup-steps.yml.github/skills/*/SKILL.md.claude/settings.json.npmrc
Network endpoints3
api.github.comuploads.github.comgithub.com/${action}/releases/latest
Decision evidence
public snapshotAI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
- User-invoked commands can write AI assistant configuration files such as .github/copilot-instructions.md, .github/skills/*/SKILL.md, and .claude/settings.json.
- copilot-setup can read GH_TOKEN/GITHUB_TOKEN or gh auth token and call GitHub APIs after user interaction.
Evidence against
- package.json defines no install/preinstall/postinstall lifecycle hooks; bin is dist/index.js only.
- README describes the package as scaffolding for init, new, lint, and copilot-setup commands.
- dist/index.js writes scaffold files only from explicit CLI commands and preserves existing files in createFilesystemStructure.
- init-hooks is an explicit subcommand; hook entries run lousy-agents context/capture, not hidden arbitrary payloads.
- Path handling uses resolveSafePath/readFileNoFollow/symlink checks for project file reads and writes.
- Direct Trojan-source check of dist/913.js/dist/*.js found no bidi or invisible control matches.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetwork
HighEntropyStringsMinifiedObfuscatedUrlStrings
WildcardDependency
Oversized source lightweight scan
dist/index.js2.08 MB file, sampled 256 KB
FilesystemChildProcessEnvironmentVarsHighEntropyStringsUrlStringscaniuse.com
Source & flagged code
3 flagged · loading sourcedist/913.jsView file
21contains invisible/control Unicode U+FEFF (zero width no-break space)
`?(c++,l=0):e?l+=e.length:l++,e&&(s+=e.length),e}let S={default(){switch(v){case` `:case`\v`:case`\f`:case` `:case`\xA0`:case`<U+FEFF>`:case`
Critical
Trojan Source Unicode
Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
dist/913.jsView on unpkg · L21dist/index.jsView file
•path = dist/index.js
kind = oversized_source_file
sizeBytes = 2184721
magicHex = [redacted]
High
Oversized Source File
Package contains source files above the static scanner size ceiling.
dist/index.jsView on unpkg•path = dist/index.js
kind = oversized_cli_entrypoint
sizeBytes = 2184721
magicHex = [redacted]
Medium
Oversized Cli Entrypoint
Package contains an oversized executable-looking CLI entrypoint.
dist/index.jsView on unpkgFindings
1 Critical1 High5 Medium5 Low
CriticalTrojan Source Unicodedist/913.js
HighOversized Source Filedist/index.js
MediumNetwork
MediumEnvironment Vars
MediumOversized Cli Entrypointdist/index.js
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings