registry  /  @spcookie/erii-config  /  1.2.3

@spcookie/erii-config@1.2.3

Erii configuration templates.

AI Security Review

scanned 4h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Install-time code copies this package's Erii configuration templates into the host project's `.conf/` and `conf/` directories. It may also create `.update-conf/` copies when those destinations already exist. No confirmed exfiltration or remote execution is present.

Static reason
One or more suspicious static signals were detected.
Trigger
npm postinstall
Impact
Modifies project-local configuration directories during installation.
Mechanism
local Erii configuration provisioning
Rationale
This is a first-party, package-aligned Erii configuration setup hook, not concrete malware. It remains a warning because it performs install-time project-local configuration writes.
Evidence
package.jsonpostinstall.jsconf/.env.localconf/application.conf.conf/setup.json.conf/copy.json.conf/conf/.update-conf/.conf/.update-conf/conf/

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Benign with medium false-positive risk.
Evidence for warning
  • `package.json` runs `node postinstall.js` during installation.
  • `postinstall.js` writes `.conf/` and `conf/` into its derived project root.
  • Existing destinations cause full copies into `.update-conf/`.
Evidence against
  • `postinstall.js` only uses synchronous local filesystem APIs; no network, shell, eval, or dynamic loading.
  • `conf/.env.local` contains placeholder API-key values, not embedded credentials.
  • Bundled JSON/HOCON files are Erii configuration templates; no foreign agent-control paths or payloads found.
Behavioral surface
Source
EnvironmentVarsFilesystem
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 4.24 KB of source

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
conf/.env.localView file
2patternName = blocked_file severity = critical matchedText = conf/.env.local redactedSecretContext = secretLikeLines = 8 L2: GOOGLE_API_KEY=<redacted:24 token-like> L4: OPENAI_API_KEY=<redacted:24 token-like> L5: ANTHROPIC_API_KEY=<redacted:27 token-like> L6: OPENROUTER_API_KEY=<redacted:28 token-like> L9: EMBEDDING_API_KEY=<redacted:33 token-like> L12: SEARCH_API_KEY=<redacted:24 token-like> L15: VISION_API_KEY=<redacted:24 token-like> L18: NAPCAT_TOKEN=<redacted:17 value>
Critical
Critical Secret

Package contains a critical-looking secret pattern.

conf/.env.localView on unpkg · L2

Findings

1 Critical1 High2 Medium2 Low
CriticalCritical Secretconf/.env.local
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
LowScripts Present
LowFilesystem