AI Security Review
scanned 2d ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. The package is a Moda observability CLI with user-invoked commands that can write first-party agent skills/rules and local Moda artifacts. No install-time or import-time compromise path was found.
Static reason
No blocking static signals were detected.
Trigger
User runs commands such as moda init, moda skills pull, moda skills sync, or sdk integration prompts.
Impact
Potentially changes local agent instructions or runs a local coding-agent integration task only after user command/approval; no confirmed malicious behavior.
Mechanism
Authenticated CLI network calls and explicit local agent-extension/artifact writes
Rationale
Source inspection shows no unconsented npm lifecycle mutation, exfiltration, stealth persistence, destructive behavior, or remote code execution. Because the package includes first-party agent extension setup and generated skill pull into agent directories, warn rather than mark fully clean.
Evidence
package.jsondist/cli.jsdist/init/index.jsdist/init/rules.jsdist/skills.jsdist/init/sdk-integration.jsdist/workspace.jsdist/api-client.jsdist/update-check.jshooks/moda-snapshot.sh~/.moda/config.json~/.moda/auth.json~/.moda/profiles.json~/.moda/secrets/**.moda/prompts.yml.moda/skills.yml.moda/harness.json.claude/skills/<id>/SKILL.md.cursor/rules/<id>.mdc
Network endpoints6
moda.devstaging.moda.devmoda-ingest.modas.workers.devregistry.npmjs.org/@moda-ai/cli/latestlocalhost:3000localhost:8787
Decision evidence
public snapshotAI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- dist/init/rules.js can install bundled moda-cli skill into .claude/skills and .cursor/rules during user-run init.
- dist/skills.js pulls authenticated server-generated skills and writes/prunes managed .claude/.cursor agent files plus .moda/skills.yml.
- dist/init/sdk-integration.js can spawn claude/codex/cursor in write mode, gated by init setup approval.
- dist/workspace.js contains hook installers for Claude/Codex/Cursor configs, though not registered in dist/cli.js.
Evidence against
- package.json has no preinstall/install/postinstall lifecycle scripts.
- dist/cli.js comments out workspace/hooks command registrations and init sets installHooks false.
- Network use is package-aligned: moda.dev, moda-ingest.modas.workers.dev, staging/local profile URLs, npm registry update check.
- Secrets are read from MODA_* env or ~/.moda config for authenticated user commands, with no broad credential harvesting seen.
- No eval/vm/Function/native binary loading or remote payload execution found.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
WildcardDependency
Source & flagged code
1 flagged · loading sourcehooks/moda-snapshot.shView file
•path = hooks/moda-snapshot.sh
kind = build_helper
sizeBytes = 1497
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
hooks/moda-snapshot.shView on unpkgFindings
5 Medium4 Low
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperhooks/moda-snapshot.sh
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings