AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No unconsented install-time attack surface is established. The package provides an explicit command that installs a first-party MCP extension into detected AI-tool configurations and an MCP server that processes local session transcripts.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `sup install`; subsequently an enabled AI client invokes the registered Supersession MCP server.
Impact
Adds a package-owned agent integration with access to session-derived content; optional explicit push can transmit redacted session data to the package service.
Mechanism
Explicit AI-tool MCP configuration and session handoff capability.
Rationale
The package has a real, user-invoked agent-extension lifecycle capability that changes AI-client configuration, so it warrants a warning under the stated policy. Inspection found no package-install trigger or evidence of unconsented exfiltration, remote payload execution, or destructive behavior.
Evidence
package.jsondist/cli.jsdist/install.jsdist/mcp.jsdist/cloud.jsdist/config.jsdist/login-browser.js~/.codex/config.toml~/.cursor/mcp.json~/.codeium/windsurf/mcp_config.json.mcp.json.claude/commands/sup-*.md.vscode/mcp.json
Network endpoints4
supersession.supersession.workers.devsupersession-web.supersession.workers.devapi.anthropic.comapi.openai.com
Decision evidence
public snapshotAI called this Suspicious at 94.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `dist/install.js` implements `sup install`, which registers its MCP server in detected Claude, Cursor, Windsurf, VS Code, Antigravity, and Codex configurations.
- `dist/mcp.js` exposes MCP operations that read local AI-session data and can write handoff files.
- `dist/cloud.js` uploads redacted session data to `supersession.supersession.workers.dev` when the explicit push operation is invoked.
- `dist/login-browser.js` launches a browser through `child_process.exec` for explicit OAuth login.
Evidence against
- `package.json` contains only `prepublishOnly`; it has no install-time lifecycle hook.
- Configuration mutation is reachable from the explicit `sup install` CLI command in `dist/cli.js`, not package installation or import.
- Cloud upload requires a configured token and explicit `push`; `dist/cli.js` and `dist/mcp.js` redact session secrets before upload.
- No eval, remote-code loader, destructive filesystem action, or stealth persistence was found in inspected sources.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcedist/distill/template.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = @supersession/sup@0.1.7
matchedIdentity = npm:QHN1cGVyc2Vzc2lvbi9zdXA:0.1.7
similarity = 0.727
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/distill/template.jsView on unpkgFindings
1 High2 Medium5 Low
HighPrevious Version Dangerous Deltadist/distill/template.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings