registry  /  @supersession/sup  /  0.1.9

@supersession/sup@0.1.9

Your AI coding session, superseded — hand it off to any tool and keep going.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No unconsented install-time attack surface is established. The package provides an explicit command that installs a first-party MCP extension into detected AI-tool configurations and an MCP server that processes local session transcripts.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `sup install`; subsequently an enabled AI client invokes the registered Supersession MCP server.
Impact
Adds a package-owned agent integration with access to session-derived content; optional explicit push can transmit redacted session data to the package service.
Mechanism
Explicit AI-tool MCP configuration and session handoff capability.
Rationale
The package has a real, user-invoked agent-extension lifecycle capability that changes AI-client configuration, so it warrants a warning under the stated policy. Inspection found no package-install trigger or evidence of unconsented exfiltration, remote payload execution, or destructive behavior.
Evidence
package.jsondist/cli.jsdist/install.jsdist/mcp.jsdist/cloud.jsdist/config.jsdist/login-browser.js~/.codex/config.toml~/.cursor/mcp.json~/.codeium/windsurf/mcp_config.json.mcp.json.claude/commands/sup-*.md.vscode/mcp.json
Network endpoints4
supersession.supersession.workers.devsupersession-web.supersession.workers.devapi.anthropic.comapi.openai.com

Decision evidence

public snapshot
AI called this Suspicious at 94.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/install.js` implements `sup install`, which registers its MCP server in detected Claude, Cursor, Windsurf, VS Code, Antigravity, and Codex configurations.
  • `dist/mcp.js` exposes MCP operations that read local AI-session data and can write handoff files.
  • `dist/cloud.js` uploads redacted session data to `supersession.supersession.workers.dev` when the explicit push operation is invoked.
  • `dist/login-browser.js` launches a browser through `child_process.exec` for explicit OAuth login.
Evidence against
  • `package.json` contains only `prepublishOnly`; it has no install-time lifecycle hook.
  • Configuration mutation is reachable from the explicit `sup install` CLI command in `dist/cli.js`, not package installation or import.
  • Cloud upload requires a configured token and explicit `push`; `dist/cli.js` and `dist/mcp.js` redact session secrets before upload.
  • No eval, remote-code loader, destructive filesystem action, or stealth persistence was found in inspected sources.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 24 file(s), 136 KB of source, external domains: 127.0.0.1, api.anthropic.com, api.openai.com, supersession-web.supersession.workers.dev, supersession.supersession.workers.dev

Source & flagged code

1 flagged · loading source
dist/distill/template.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @supersession/sup@0.1.7 matchedIdentity = npm:QHN1cGVyc2Vzc2lvbi9zdXA:0.1.7 similarity = 0.727 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/distill/template.jsView on unpkg

Findings

1 High2 Medium5 Low
HighPrevious Version Dangerous Deltadist/distill/template.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings