AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.
Trigger
User runs `miru install` and confirms selected integrations, or runs search/index/MCP commands.
Impact
Can alter chosen agent behavior and expose indexed source text to the configured embedding service, but no unconsented lifecycle mutation is established.
Mechanism
Interactive agent-config integration, optional search-guard hooks, and remote embeddings.
Rationale
The package is not concretely malicious: it has no install-time execution or unconsented configuration mutation. It warrants a warning because explicit setup can modify broad AI-agent control surfaces and install behavior-changing hooks.
Evidence
package.jsonsrc/index.tssrc/cli.tssrc/installer/installer.tssrc/installer/agents.tssrc/installer/hooks/install.tssrc/installer/hooks/search-guard.tssrc/installer/hooks/opencode-plugin.tssrc/embeddings/openai.ts~/.claude.json~/.cursor/mcp.json~/.gemini/settings.json~/.codex/config.toml~/.config/opencode/plugins/miru-search-guard.ts
Network endpoints2
infer.takara.ai/v1registry.npmjs.org/@takara-ai%2Fmiru-code
Decision evidence
public snapshotAI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `src/installer/installer.ts` runs only via explicit interactive `miru install`/`uninstall` with agent, integration, plan, and confirmation prompts.
- `src/installer/agents.ts` targets global AI-agent configs including `~/.claude.json`, `~/.cursor/mcp.json`, `~/.gemini/settings.json`, and `~/.codex/config.toml`.
- `src/installer/hooks/install.ts` can add agent pre-tool hooks; `src/installer/hooks/search-guard.ts` denies built-in search/exploration tools.
- `src/installer/hooks/opencode-plugin.ts` installs a plugin that throws before grep/glob/shell exploration tools.
- `src/embeddings/openai.ts` posts indexed source-text chunks with a bearer key to the configured embeddings endpoint during user-invoked indexing.
Evidence against
- `package.json` has no `preinstall`, `install`, or `postinstall`; its only lifecycle hook is publisher-side `prepublishOnly`.
- `src/index.ts` is export-only, with no import-time setup, network call, or configuration mutation.
- Installer writes are gated behind explicit CLI commands, interactive selection, displayed plan, and confirmation.
- Hook installation is marked experimental and unchecked by default.
- Network code is package-aligned: embedding requests support semantic search and update checks query npm registry.
- No hidden payload download, dynamic code evaluation, credential harvesting, or arbitrary shell execution was found.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcegrammars/tree-sitter-go.wasmView file
•path = grammars/tree-sitter-go.wasm
kind = wasm_module
sizeBytes = 217182
magicHex = [redacted]
Medium
Findings
4 Medium5 Low
MediumNetwork
MediumEnvironment Vars
MediumShips Wasm Modulegrammars/tree-sitter-go.wasm
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings