AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Decision evidence
public snapshot- `dist/index.js` registers explicit `mcp install`, `setup`, and `upgrade` commands that configure AI-agent integrations.
- `registerMcp` conditionally writes MCP entries for Claude, Cursor, Copilot, or invokes `codex mcp add`.
- MCP configuration points to first-party `https://mcp.shipeasy.ai/mcp`; setup can install or refresh marketplace skills.
- CLI invocation performs a cached update check against `https://registry.npmjs.org/@shipeasy/cli/latest`.
- `package.json` has no `preinstall`, `install`, or `postinstall` lifecycle hook.
- `bin/shipeasy.js` only invokes `run()` after the user executes the CLI.
- Agent-config and SDK-install behavior is attached to named user commands, with dry-run, scope, and prompt controls.
- Network/auth code uses Shipeasy endpoints and stores its own credentials under the Shipeasy config directory; no arbitrary credential harvesting found.
Source & flagged code
5 flagged · loading sourceThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/index.jsView on unpkgA single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/index.jsView on unpkg · L45Source collects local host identity data and sends it to an external endpoint.
dist/index.jsView on unpkg · L45Package source references dynamic require/import behavior.
bin/shipeasy.jsView on unpkg · L1