AI Security Review
scanned 3h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. The package exposes explicit setup/runtime APIs that can install first-party tiny-brain hooks, Claude agents, and Claude settings permissions. No npm install-time mutation or concrete malicious exfiltration/destructive chain was found.
Static reason
No blocking static signals were detected.
Trigger
Explicit caller use of setup, agent install, hook install, or headless Claude run APIs
Impact
Can modify repo-local AI-agent and git-hook configuration when invoked, but not automatically on package install/import.
Mechanism
first-party agent/hook setup and user-invoked Claude subprocess orchestration
Rationale
Source inspection found first-party AI-agent/hook lifecycle setup and headless Claude execution capabilities, but they are explicit/user-invoked rather than npm install-time and no credential harvesting or off-domain exfiltration was identified. This fits a warning-level agent extension lifecycle risk, not a publish block.
Evidence
package.jsondist/index.jsdist/services/analysis/config-setup-service.jsdist/services/agent/agent-installation-service.jsdist/services/agent/install-plugin-agents.jsdist/services/bootstrap/hook-installer.jsdist/services/api/claude-cli-client.jsdist/config/service-urls.js.claude/settings.json.claude/agents/*.md.git/hooks/commit-msg.git/hooks/post-commit.git/hooks/pre-commit.git/hooks/pre-push.git/hooks/tiny-brain-exec.git/hooks/tiny-brain-run-hooks~/.tiny-brain/config/credentials.json
Network endpoints3
tiny-brain-service.vercel.apptiny-brain-remote.vercel.app/chat/completions
Decision evidence
public snapshotAI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- dist/services/analysis/config-setup-service.js can add allow permissions to .claude/settings.json during setup
- dist/services/agent/agent-installation-service.js and install-plugin-agents.js write agent markdown into .claude/agents
- dist/services/bootstrap/hook-installer.js installs executable git hooks when explicitly invoked
- dist/services/api/claude-cli-client.js can spawn claude with --dangerously-skip-permissions for headless runs
Evidence against
- package.json has no preinstall/install/postinstall lifecycle hook; only prepublishOnly
- dist/index.js is a barrel export and has no import-time side effects observed
- hook installer preserves unsigned existing hooks unless forceOverwrite is set
- network clients use package-aligned tiny-brain/OpenAI-compatible endpoints with caller-supplied tokens
- credential storage keeps clientSecret local under ~/.tiny-brain/config/credentials.json and no exfiltration path was found
Behavioral surface
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/services/quality/investigation-checklists.jsView file
29description: 'Look for user input passed to exec, spawn, or system calls',
L30: patterns: ['exec(', 'spawn(', 'system(', 'eval(', 'execSync('],
L31: severity: 'critical',
Low
Eval
Package source references a known benign dynamic code generation pattern.
dist/services/quality/investigation-checklists.jsView on unpkg · L29templates/hooks/prune-on-push.shView file
•path = templates/hooks/prune-on-push.sh
kind = build_helper
sizeBytes = 2753
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
templates/hooks/prune-on-push.shView on unpkgFindings
4 Medium6 Low
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpertemplates/hooks/prune-on-push.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/services/quality/investigation-checklists.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings