registry  /  @reticlehq/core  /  1.3.0

@reticlehq/core@1.3.0

One-install Reticle: the dev-only SDK (browser + React adapter) and the spec runner under one package, with subpaths for the source-mapping plugins and the MCP server.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs `reticle init`, `reticle mcp`, `reticle serve`, or an MCP update tool with confirm:true
Impact
Broad agent-facing capability is installed when requested, but no lifecycle hijack or unconsented execution was found.
Mechanism
user-invoked MCP registration, localhost daemon, and guarded self-update
Policy narrative
The package is an AI/MCP development tool. Its risky behaviors are surfaced through explicit CLI or MCP tool use: registering a Reticle MCP server, starting a local daemon, integrating SDK snippets into a project, and optionally updating via npm after confirmation. There is no install-time hook or import-time code that silently plants agent instructions or exfiltrates data.
Rationale
Static inspection shows package-aligned, user-invoked MCP/daemon/update capabilities with no lifecycle execution or foreign control-surface mutation at install time. Because it can register broad agent integrations and expose powerful MCP tools, warn rather than block.
Evidence
package.jsonREADME.mddist/cli.jsdist/server.jsdist/index.jsdist/test.js~/.cursor/mcp.json~/.reticle/daemon-<port>.pid~/.reticle/daemon-<port>.log~/.reticle/update-manifest.json.reticle.jsonvite.config.*app/reticle-dev.tsxsrc/hooks.client.ts
Network endpoints3
registry.npmjs.org/@reticlehq/core/latestlocalhostws://localhost:4400/reticle

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/cli.js registers global Claude/Cursor MCP entries during explicit `reticle init`
  • dist/cli.js can spawn a detached localhost daemon and writes pid/log files under ~/.reticle
  • dist/cli.js exposes MCP update tools that fetch npm latest and run npm install only after confirm:true
  • dist/cli.js writes project integration files such as .reticle.json, Vite config, app/reticle-dev.tsx, or src/hooks.client.ts
Evidence against
  • package.json has no npm lifecycle hooks, so install/import does not auto-mutate agent configs
  • dist/cli.js entrypoint gates execution with isEntryPoint(); imports do not run CLI main
  • MCP/daemon/network behavior is Reticle-aligned and documented in README.md
  • servers bind/proxy to loopback by default and use optional tokens/origin controls
  • no credential harvesting, destructive code, obfuscated payload, or unrelated exfiltration found
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 9 file(s), 1.33 MB of source, external domains: fonts.googleapis.com, github.com, registry.npmjs.org

Source & flagged code

4 flagged · loading source
dist/test.jsView file
6512// ../server/dist/update/updater.js L6513: import { execFile } from "child_process"; L6514: import { existsSync as existsSync2 } from "fs";
High
Child Process

Package source references child process execution.

dist/test.jsView on unpkg · L6512
dist/cli.jsView file
10615exec(command, args) { L10616: const result = spawnSync(command, [...args], { cwd, stdio: "inherit", shell: true }); L10617: return result.status === 0;
High
Shell

Package source references shell execution.

dist/cli.jsView on unpkg · L10615
256Cross-file remote execution chain: dist/cli.js spawns dist/index.js; helper contains network access plus dynamic code execution. L256: FLOW_RECORDED: "flow.recorded", L257: /** synthetic: browser transport queue overflowed; events were dropped. `data: { dropped: number }`. */ L258: TRANSPORT_OVERFLOW: "transport.overflow", ... L1532: try { L1533: return new URL(url, "http://x").pathname; L1534: } catch { ... L2053: try { L2054: parsed = JSON.parse(text); L2055: } catch { ... L2936: const line = JSON.stringify({ event, ...fields }); L2937: process.stderr.write(`${line} L2938: `);
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/cli.jsView on unpkg · L256
dist/vite.jsView file
24const filename = state.filename ?? "unknown"; L25: const rel = relative(process.cwd(), filename); L26: const value = `${rel}:${String(loc.start.line)}:${String(loc.start.column)}`; ... L86: for (let depth = 0; depth < 50; depth++) { L87: const pkgPath = join(dir, "package.json"); L88: if (existsSync(pkgPath)) { L89: try { L90: const parsed = JSON.parse(readFileSync(pkgPath, "utf8")); L91: if (typeof parsed === "object" && parsed !== null) {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/vite.jsView on unpkg · L24

Findings

3 High2 Medium6 Low
HighChild Processdist/test.js
HighShelldist/cli.js
HighCross File Remote Execution Contextdist/cli.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowWeak Cryptodist/vite.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License