AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack chain was found. This is an explicitly installed AI-agent extension that persists package-owned skills, hooks, and runtime files in agent and project locations.
Static reason
No blocking static signals were detected.
Trigger
User runs install.sh for an agent, or activates the installed Claude/Cursor/Pi extension in a project.
Impact
Can influence supported AI-agent sessions and execute its bundled review orchestration in the active project.
Mechanism
Agent-hook context injection and package-owned runtime deployment.
Rationale
Source shows first-party AI-agent extension setup and session hooks, which warrants a warning under the stated lifecycle policy. No concrete malicious behavior was established.
Evidence
package.jsoninstall.shplugins/edc/hooks/hooks.jsonplugins/edc/hooks/lib/route.mjsplugins/edc/hooks/session-start.mjspi/index.mjs~/.codex/skills~/.cursor/skills~/.cursor/commands~/.edc/scripts~/.edc/skills~/.zshrc~/.bashrc.edc/scripts.edc/hooks/lib.edc/skills
Network endpoints2
raw.githubusercontent.com/almogdepaz/edc/main/install.shgithub.com/almogdepaz/EDC/archive/refs/tags/
Decision evidence
public snapshotAI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- install.sh explicitly writes global Codex skills under ~/.codex/skills.
- install.sh writes Cursor command wrappers and adds ~/.edc/scripts to shell PATH unless --no-path.
- hooks.json registers SessionStart and PreToolUse hook commands for supported agent platforms.
- hooks/lib/route.mjs copies executable runtime and prompt bundles into project .edc/ on agent session start.
Evidence against
- package.json has only prepublishOnly; no preinstall, install, or postinstall hook.
- No credential-path harvesting or network exfiltration code found in reviewed runtime files.
- Network use is limited to explicit installer GitHub archive download and user-requested gh PR diff.
- Hook injection is gated on an EDC project manifest and non-advisory context mode.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemShell
HighEntropyStrings
Source & flagged code
1 flagged · loading sourceplugins/edc/scripts/edc-doctor.shView file
•path = plugins/edc/scripts/edc-doctor.sh
kind = build_helper
sizeBytes = 2739
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
plugins/edc/scripts/edc-doctor.shView on unpkgFindings
3 Medium4 Low
MediumEnvironment Vars
MediumShips Build Helperplugins/edc/scripts/edc-doctor.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings