AI Security Review
scanned 3h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious behavior or install-time attack was found. The real risk is user-invoked first-party Claude/Codex agent context and hook setup that alters AI-agent control surfaces for the local project.
Static reason
One or more suspicious static signals were detected.
Trigger
Running shiprun scan without --no-hook, or running shiprun deploy/undeploy/fix
Impact
Writes local reports, .shiprun state, optional Claude SessionStart hook, and deploy-managed agent/context files; npm audit may contact npm registry when scanning dependencies.
Mechanism
local security scanner with report generation and first-party AI-agent hook/context setup
Rationale
Source inspection supports a package-aligned CLI with local scanning, report writing, and explicit/scan-time AI-agent integration; no unconsented npm install hook, exfiltration, remote payload execution, destructive behavior, or broad foreign control-surface hijack was found. Because it writes Claude/Codex agent context and a Claude startup hook during user-invoked workflows, treat as a lifecycle risk warning rather than malicious.
Evidence
package.jsondist/cli.jsdist/hook.jsdist/deploy.jsdist/fixer.jsdist/checks/secrets.jsdist/checks/dependencies.jsSHIPRUN.mdshiprun-report/shiprun-report/changelog.md.shiprun/findings.json.shiprun/history.jsonl.shiprun/changelog.md.claude/hooks/shiprun-context.cjs.claude/settings.json.claude/context/shiprun-house-rules.md.claude/agents/shiprun-fix-*.mdCLAUDE.mdAGENTS.md.shiprun/deploy-manifest.json.gitignore.github/workflows/ci.yml
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Benign with medium false-positive risk.
Evidence for warning
- dist/cli.js default scan writes reports and, unless --no-hook, calls ensureSessionStartHook(root).
- dist/hook.js writes .claude/hooks/shiprun-context.cjs and registers a Claude SessionStart command in .claude/settings.json.
- dist/deploy.js explicit deploy writes .claude/agents/shiprun-fix-*.md, .claude/context/shiprun-house-rules.md, and managed blocks into CLAUDE.md/AGENTS.md.
- dist/checks/dependencies.js can run npm audit --json during scans.
Evidence against
- package.json has no preinstall/install/postinstall; prepare/prepublishOnly only run npm run build.
- No credential exfiltration or attacker network endpoints found in inspected source.
- dist/checks/secrets.js reads local files to generate findings, not to transmit secrets.
- Agent/control-surface mutations are package-aligned and user-invoked by scan/deploy commands.
- dist/deploy.js uses delimited managed blocks and manifest-based undeploy/prune behavior.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
HighEntropyStrings
Source & flagged code
2 flagged · loading sourcedist/checks/secrets.jsView file
18patternName = private_key_rsa
severity = critical
line = 18
matchedText = { name: .../ },
Critical
Critical Secret
Package contains a critical-looking secret pattern.
dist/checks/secrets.jsView on unpkg · L1818patternName = private_key_rsa
severity = critical
line = 18
matchedText = { name: .../ },
Critical
Findings
2 Critical2 Medium4 Low
CriticalCritical Secretdist/checks/secrets.js
CriticalSecret Patterndist/checks/secrets.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings