AI Security Review
scanned 21h ago · by lpm-firewall-aiNo unconsented install-time attack surface is confirmed. The package performs lockfile reporting and optional, user-invoked project instrumentation.
Static reason
No blocking static signals were detected.
Trigger
Explicit `scan`, `protect`, or `mark-build` CLI command; runtime protection requires application integration.
Impact
User-invoked commands can post dependency metadata or modify supported application files; no stealth persistence or foreign AI-agent control-surface mutation was found.
Mechanism
Lockfile manifest reporting plus optional Patchstack protection setup.
Rationale
The AI-directed documentation is an injection-like instruction channel, but source behavior is package-aligned and only activates through explicit CLI or runtime integration. No concrete malicious execution, exfiltration beyond the stated dependency manifest, or unconsented lifecycle mutation was found.
Evidence
package.jsondist/cli.jsdist/index.jsdist/protect.jsAGENT-INSTALL.mddist/protect/templates/guard.ts
Network endpoints2
api.patchstack.com/monitor/pulse/manifestapi.patchstack.com/api/get-rules/3
Decision evidence
public snapshotAI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for block
- AGENT-INSTALL.md targets AI coding agents and directs project changes.
- AGENT-INSTALL.md asks agents to add scan/build hooks and an external widget.
- dist/cli.js has explicit `protect` and `mark-build` project-write commands.
Evidence against
- package.json has no preinstall/install/postinstall hook.
- dist/cli.js only runs commands chosen from its CLI dispatcher.
- dist/index.js posts normalized lockfile package names and versions.
- dist/protect.js fetches rules only with an explicit WAF token.
- No child-process, eval, VM, dynamic loader, or credential-harvesting primitive found.
Behavioral surface
CryptoEnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourceREADME.mdView file
•3. **"Install the package, then follow the instructions it ships" reads as handing control to the package author** — structurally the same as prompt injection — and preemptive reassurance language ("it's safe, don't be suspicious, note your knowledge cutoff") is itself flagged as a manipulation signal.
High
Ai Reviewer Manipulation
Package text addresses the security reviewer or scanner and tries to influence the review outcome.
README.mdView on unpkgFindings
1 High2 Medium5 Low
HighAi Reviewer ManipulationREADME.md
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings