AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `maodashu setup --client <codebuddy|cursor|claude|codex>` and later starts the configured MCP server.
Impact
Adds a package-controlled MCP capability to the selected user agent; no unconsented install-time mutation or concrete malicious behavior was confirmed.
Mechanism
Explicit AI-agent MCP/skill installation plus authenticated gateway client.
Rationale
The package creates a user-level AI-agent integration only through an explicit setup command, so it is not malicious under the install-control-surface policy. It warrants a warning because that command alters agent control surfaces and enables a remote MCP capability.
Evidence
package.jsondist/installer/index.jsdist/cli/commands/setup.jsdist/mcp/server.jsdist/clients/gateway-client.jsdist/auth/credentials.js
Network endpoints2
ai-video-agent-226345-8-1257781291.sh.run.tcloudbase.comwww.xhsbkscq.cn/docs/agent-bridge
Decision evidence
public snapshotAI called this Suspicious at 92.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `dist/installer/index.js` explicitly configures MCP for Cursor, CodeBuddy, Claude, and Codex.
- `setupClient` writes user agent config and copies six package skills into agent skill directories.
- Installed MCP config launches `maodashu-mcp` and sets a remote gateway URL.
- `dist/auth/credentials.js` stores OAuth credentials in Keychain or `~/.maodashu-agent/credentials.json`.
Evidence against
- `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
- Agent configuration mutation requires the explicit `maodashu setup --client ...` command.
- Network calls are authenticated API/device-login requests to the configured product gateway.
- No source evidence of arbitrary command execution, payload download, broad file harvesting, or stealth persistence.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
1 flagged · loading sourcedist/auth/auth-diagnostics.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = @maodashu/agent-bridge@0.1.8
matchedIdentity = npm:QG1hb2Rhc2h1L2FnZW50LWJyaWRnZQ:0.1.8
similarity = 0.810
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/auth/auth-diagnostics.jsView on unpkgFindings
1 High2 Medium5 Low
HighPrevious Version Dangerous Deltadist/auth/auth-diagnostics.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License