AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.
Trigger
User runs `npx @pm_zhousl/xinyun-ai-init` and then asks an AI tool to follow the copied README.
Impact
Can establish project-local AI guidance and documentation files after the user-directed follow-up; no concrete exfiltration or remote execution chain was found.
Mechanism
Explicit user-command AI-agent workflow/configuration setup.
Rationale
No malicious execution, exfiltration, persistence, or install-time behavior was found. The package still warrants a warning under the explicit user-command AI-agent configuration policy because it seeds instructions to modify agent guidance in the target project.
Evidence
package.jsonbin/xinyun-ai-init.jsinit/xinyun-ai-init/README.mdinit/xinyun-ai-init/templates/AGENTS.template.mdscripts/publish-with-token.ps1xinyun-ai-init/AGENTS.mdxinyun-ai/
Decision evidence
public snapshotAI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- Explicit CLI copies an AI-workflow bundle into the caller's project.
- Copied instructions direct an AI to create project-root `AGENTS.md` and `xinyun-ai/` files.
- `--force` removes and replaces the caller's `xinyun-ai-init/` directory.
Evidence against
- `package.json` has no preinstall/install/postinstall lifecycle hook.
- CLI has no network, shell, eval, credential-harvesting, or dynamic payload behavior.
- Agent templates require user confirmation before business-code or configuration changes.
- Publish helper uses an operator-provided npm token only for explicit publishing and removes temporary `.npmrc`.
Behavioral surface
Filesystem
HighEntropyStrings
Source & flagged code
1 flagged · loading sourcescripts/publish-with-token.ps1View file
•path = scripts/publish-with-token.ps1
kind = build_helper
sizeBytes = 2651
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
scripts/publish-with-token.ps1View on unpkgFindings
1 Medium3 Low
MediumShips Build Helperscripts/publish-with-token.ps1
LowScripts Present
LowFilesystem
LowHigh Entropy Strings