AI Security Review
scanned 1d ago · by lpm-firewall-aiNo source-grounded attack surface could be established without filesystem inspection.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
unknown
Impact
unknown
Mechanism
unknown
Rationale
Filesystem inspection was not completed, so no reliable source-based verdict can be made.
Decision evidence
public snapshotAI called this Manual Review at 10.0% confidence as Unknown with high false-positive risk.
Evidence for block
- Inspection could not be performed in this constrained response path.
Evidence against
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
4 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node scripts/safe-postinstall.cjs
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkgdist/core/dag-checkpoint.jsView file
18exports.computeDagId = computeDagId;
L19: const logger_1 = require("../utils/logger");
L20: const hash_1 = require("../utils/hash");
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/core/dag-checkpoint.jsView on unpkg · L18scripts/safe-postinstall.cjsView file
1Install-time AI-agent control hijack evidence:
L1: #!/usr/bin/env node
L2: const { existsSync, mkdirSync, copyFileSync, readFileSync, writeFileSync, unlinkSync } = require("node:fs");
L3: const { join } = require("node:path");
...
L34: try {
L35: writeFileSync(VERSION_FILE, version, "utf8");
L36: } catch {
...
L130:
L131: mkdirSync(skillDestDir, { recursive: true });
L132: copyFileSync(sk[redacted], skillDestFile);
L133:
...
L217: /**
L218: * 获取 CLAUDE.md 源文件路径
Payload evidence from dist/integrations/agent-mcp-installer.js:
L16: exports.formatModelConfigGuide = formatModelConfigGuide;
L17: const node_child_process_1 = require("node:child_process");
L18: const node_fs_1 = require("node:fs");
...
L21: function isWindows() {
L22: return process.platform === "win32";
L23: }
...
L54: try {
L55: const output = (0, node_child_process_1.execFileSync)("cmd.exe", ["/c", "echo %USERPROFILE%"], {
L56: encoding: "utf8",
...
L74: const home = (0, node_os_1.homedir)();
L75: const appData = process.env.APPDATA ?? (isWindows() ? (0, node_path_1.join)(home, "AppData", "Roaming") : "");
L76: const localAppData = process.env.LOCALAPPDATA ?? (isWindows() ? (0, node_path_1.join)(home, "AppData", "Loc…
Critical
Ai Agent Control Hijack
Install-time source drops package-supplied AI-agent/MCP control files or instructions.
scripts/safe-postinstall.cjsView on unpkg · L1wasm/tree-sitter-go.wasmView file
•path = wasm/tree-sitter-go.wasm
kind = wasm_module
sizeBytes = 235957
magicHex = [redacted]
Medium
Findings
1 Critical1 High5 Medium5 Low
CriticalAi Agent Control Hijackscripts/safe-postinstall.cjs
HighInstall Time Lifecycle Scriptspackage.json
MediumDynamic Requiredist/core/dag-checkpoint.js
MediumNetwork
MediumEnvironment Vars
MediumShips Wasm Modulewasm/tree-sitter-go.wasm
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings