registry  /  @lousy-agents/cli  /  5.17.3

@lousy-agents/cli@5.17.3

CLI scaffolding tool that sets up projects with structure, instructions, and feedback loops for AI coding assistants

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User runs `lousy-agents init-hooks` or accepts prompts during `lousy-agents copilot-setup`.
Impact
Future Claude Code events can invoke the package CLI; optional GitHub ruleset operations use the user's GitHub credentials.
Mechanism
Explicit project-local AI-agent and npm configuration writes.
Rationale
Source inspection found no malicious execution chain, exfiltration, lifecycle persistence, or hidden payload. Per policy, explicit AI-agent control-surface mutation remains a warn-level capability risk.
Evidence
package.jsondist/index.jsdist/913.js.claude/settings.json.npmrc.github/workflows/copilot-setup-steps.yml
Network endpoints1
api.github.com

Decision evidence

public snapshot
AI called this Suspicious at 93.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/index.js` `init-hooks` writes project `.claude/settings.json` hooks invoking `lousy-agents context` and `capture`.
  • `dist/index.js` `copilot-setup` can add `agent-shell` to project `.npmrc` after a confirmation prompt.
  • `dist/index.js` resolves `GH_TOKEN`/`GITHUB_TOKEN` or runs `gh auth token` for optional GitHub ruleset actions.
  • `dist/index.js` uses Octokit against `https://api.github.com` when the user opts into Copilot ruleset management.
Evidence against
  • `package.json` has no `preinstall`, `install`, `postinstall`, or other lifecycle hook.
  • All control-surface writes are behind explicit CLI commands; ruleset and `.npmrc` changes request confirmation.
  • `capture` validates bounded stdin and writes a local prompt to stdout; it does not transmit transcript data.
  • `context` confines file reads to the selected project root and skips unsafe paths.
  • The `dist/913.js` Unicode hit is escaped JSON5 parser character-class data, not concealed bidi source behavior.
  • No credential or project-file exfiltration, remote payload download, destructive action, or stealth persistence was found.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
Manifest
WildcardDependency
scanned 25 file(s), 613 KB of source, external domains: 127.0.0.1, api.github.com, bitbucket.com, bitbucket.org, caniuse.com, git.sr.ht, github.com, gitlab.com, raw.githubusercontent.com
Oversized source lightweight scan
dist/index.js2.10 MB file, sampled 256 KB
FilesystemChildProcessEnvironmentVarsHighEntropyStringsUrlStringscaniuse.com

Source & flagged code

4 flagged · loading source
dist/913.jsView file
21contains invisible/control Unicode U+FEFF (zero width no-break space) `?(c++,l=0):e?l+=e.length:l++,e&&(s+=e.length),e}let S={default(){switch(v){case` `:case`\v`:case`\f`:case` `:case`\xA0`:case`<U+FEFF>`:case`
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/913.jsView on unpkg · L21
dist/index.jsView file
path = dist/index.js kind = oversized_source_file sizeBytes = 2198905 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/index.jsView on unpkg
path = dist/index.js kind = oversized_cli_entrypoint sizeBytes = 2198905 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

dist/index.jsView on unpkg
dist/653.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @lousy-agents/cli@5.17.1 matchedIdentity = npm:QGxvdXN5LWFnZW50cy9jbGk:5.17.1 similarity = 0.909 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/653.jsView on unpkg

Findings

1 Critical2 High5 Medium5 Low
CriticalTrojan Source Unicodedist/913.js
HighOversized Source Filedist/index.js
HighPrevious Version Dangerous Deltadist/653.js
MediumNetwork
MediumEnvironment Vars
MediumOversized Cli Entrypointdist/index.js
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings