AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Decision evidence
public snapshot- dist/src/cli/commands/init.js writes MCP config into .mcp.json and, when present, .cursor/mcp.json, .agents/mcp_config.json, .codex/config.toml.
- dist/src/cli/commands/init.js always writes ~/.gemini/config/mcp_config.json during user-invoked init.
- Generated MCP configs run npx -y @siddharthakatiyar/contextos@latest serve, introducing first-party agent extension lifecycle risk.
- dist/src/mcp/tools/execute.js exposes an MCP command execution tool with allowlisted npm/npx/git/tsc/file commands.
- dist/src/cli/commands/init.js auto-starts a detached npx contextos daemon after initialization.
- package.json has no preinstall/install/postinstall hook; only prepublishOnly runs build.
- dist/src/core/updater/index.js only runs npm view for version notification, not payload install/execution.
- MCP command execution is allowlisted and constrained to CONTEXTOS_REPO_ROOT/cwd with traversal checks.
- No credential harvesting, external exfiltration endpoint, destructive behavior, obfuscated payload, or dynamic remote code load found.
- Entrypoint dist/bin/contextos.js only registers CLI commands and reads package.json version.
Source & flagged code
4 flagged · loading sourcePackage source references child process execution.
dist/src/core/updater/index.jsView on unpkg · L1Package source references weak cryptographic algorithms.
dist/src/core/daemon/client.jsView on unpkg · L1This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/src/cli/commands/init.jsView on unpkgPackage source invokes a package manager install command at runtime.
dist/src/cli/commands/init.jsView on unpkg · L211