registry  /  @rulemetric/cli  /  0.5.1

@rulemetric/cli@0.5.1

The RuleMetric CLI. Manages instructions, sessions, evals, and (as of the user-management release) organizations.

AI Security Review

scanned 7d ago · by lpm-firewall-ai

No confirmed malicious attack surface by static inspection. The package is a telemetry/session-tracking CLI with explicit user-invoked hooks, proxy, and worker installation capabilities aligned with its stated RuleMetric functionality.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs rulemetric setup, hooks install, proxy setup, service install, or authenticated commands
Impact
Can capture AI session events and configure local proxy/persistence after explicit CLI setup; no install-time or hidden exfiltration found
Mechanism
User-invoked AI tool hook/proxy/service configuration and RuleMetric API calls
Rationale
The suspicious primitives are real but appear package-aligned and user-invoked: setup/hook/proxy/service commands visibly configure AI-agent hooks, local proxying, and worker persistence for RuleMetric session capture. There are no lifecycle hooks, no import-time payload, and no concrete hidden credential harvesting or nonaligned exfiltration path found.
Evidence
package.jsonbin/run.jsdist/chunk-346TGPVR.jsdist/chunk-ANOWI23I.jsdist/commands/hooks/install.jsdist/commands/proxy/setup.jsdist/chunk-CWFVBGX2.js~/.claude/settings.json.cursor/hooks.json.cursor/settings.json.github/hooks/rulemetric.json.vscode/settings.json~/.cursor/hooks.json~/.gemini/config/hooks.json~/Library/LaunchAgents/com.rulemetric.env.plist~/Library/LaunchAgents/com.rulemetric.worker.plist~/.config/systemd/user/rulemetric-worker.service~/.config/rulemetric/env~/.config/rulemetric/auth.json
Network endpoints3
rulemetric.comlocalhost:3000localhost:8787

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/chunk-ANOWI23I.js writes Claude/Cursor/Copilot/Antigravity hook configs that run rulemetric hooks
  • dist/commands/hooks/install.js can configure HTTPS_PROXY, trust mitmproxy CA, and start a local gateway
  • dist/commands/proxy/setup.js can install mitmproxy via pipx/uv/pip/brew when user runs setup
  • dist/commands/service/install.js creates launchd/systemd worker persistence when user runs service install
  • dist/chunk-CWFVBGX2.js sends authenticated API requests using RULEMETRIC tokens
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle scripts
  • bin/run.js only dispatches oclif; no observed install-time execution
  • Dangerous commands are gated behind explicit CLI commands such as setup/hooks install/proxy setup/service install
  • Secrets are read from RuleMetric config and used as Authorization headers to configured RuleMetric API, not broad credential harvesting
  • Network defaults are package-aligned: https://rulemetric.com for version check and configurable/localhost API
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 221 file(s), 676 KB of source, external domains: rulemetric.com, www.apple.com

Source & flagged code

7 flagged · loading source
dist/chunk-346TGPVR.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @rulemetric/cli@0.3.0 matchedIdentity = npm:QHJ1bGVtZXRyaWMvY2xp:0.3.0 similarity = 0.875 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/chunk-346TGPVR.jsView on unpkg
15// src/lib/setup-steps.ts L16: import { execSync } from "node:child_process"; L17: import { existsSync, readFileSync } from "node:fs";
High
Child Process

Package source references child process execution.

dist/chunk-346TGPVR.jsView on unpkg · L15
100function runCommand(cmd) { L101: execSync(cmd, { stdio: "inherit" }); L102: } ... L106: title: "Install the CLI", L107: command: "npm install -g @rulemetric/cli", L108: // Monotonic: the CLI must exist to produce any downstream signal, so it
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/chunk-346TGPVR.jsView on unpkg · L100
dist/commands/proxy/setup.jsView file
34description: "Shell to configure (auto-detected if omitted)", L35: options: ["zsh", "bash", "fish", "powershell"] L36: }),
High
Shell

Package source references shell execution.

dist/commands/proxy/setup.jsView on unpkg · L34
dist/commands/evals/run.jsView file
49} L50: this.log(`Running ${evals.length} eval(s) for "${target.name}" v${target.version}`); L51: this.log(`Config: ${flags["runs-per-eval"]} run(s) per eval, parallel=${flags.parallel}, iteration=${flags.iteration}`);
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/commands/evals/run.jsView on unpkg · L49
dist/chunk-ANOWI23I.jsView file
1// src/lib/hooks-config.ts L2: import { execSync } from "node:child_process"; L3: import { existsSync, mkdirSync, readFileSync, writeFileSync, unlinkSync } from "node:fs"; ... L141: try { L142: existing = JSON.parse(readFileSync(configPath, "utf-8")); L143: } catch { ... L167: function writeCursorUserHooks() { L168: return writeCursorHooksToDir(join(homedir(), ".cursor")); L169: } ... L233: } L234: settings["http.proxy"] = `http://localhost:${gatewayPort}`; L235: settings["http.proxyStrictSSL"] = existsSync(certPath);
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/chunk-ANOWI23I.jsView on unpkg · L1
1// src/lib/hooks-config.ts L2: import { execSync } from "node:child_process"; L3: import { existsSync, mkdirSync, readFileSync, writeFileSync, unlinkSync } from "node:fs"; ... L141: try { L142: existing = JSON.parse(readFileSync(configPath, "utf-8")); L143: } catch { ... L167: function writeCursorUserHooks() { L168: return writeCursorHooksToDir(join(homedir(), ".cursor")); L169: } ... L233: } L234: settings["http.proxy"] = `http://localhost:${gatewayPort}`; L235: settings["http.proxyStrictSSL"] = existsSync(certPath);
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/chunk-ANOWI23I.jsView on unpkg · L1

Findings

1 Critical4 High4 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/chunk-346TGPVR.js
HighChild Processdist/chunk-346TGPVR.js
HighShelldist/commands/proxy/setup.js
HighSandbox Evasion Gated Capabilitydist/chunk-ANOWI23I.js
HighRuntime Package Installdist/chunk-346TGPVR.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/chunk-ANOWI23I.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/commands/evals/run.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License