AI Security Review
scanned 2d ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Decision evidence
public snapshot- `dist/mcp-config.js` runs an explicit CLI setup that writes MCP agent configuration.
- Setup targets Claude Desktop, Cursor, or `./.mcp/config.json` and registers a server using `npx -y @signaliz/mcp-server@latest`.
- The registered server is unpinned and would fetch/execute that separate package when the configured client starts.
- `package.json` has no preinstall/install/postinstall hook; `prepublishOnly` is publish-time only.
- SDK network requests are limited to package-aligned `api.signaliz.com` endpoints and use caller-provided credentials.
- No shell/process spawning, eval, credential harvesting, or import-time filesystem mutation appears in the shipped SDK entrypoint.
- Config mutation occurs only after the user explicitly invokes the package bin.
Source & flagged code
2 flagged · loading source`dist/mcp-config.js` runs an explicit CLI setup that writes MCP agent configuration.
dist/mcp-config.jsView on unpkgSetup targets Claude Desktop, Cursor, or `./.mcp/config.json` and registers a server using `npx -y @signaliz/mcp-server@latest`.
mcp/config.jsonView on unpkg