registry  /  @taurgis/bonsai  /  3.0.2

@taurgis/bonsai@3.0.2

Bonsai is a standalone local research cache CLI for AI agents

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. The package runs an install-time `npx forward-nexus sync --pull` command. Source ships broad AI-agent hook examples that alter URL-fetch behavior, but inspected package files do not directly copy them into agent config paths.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install of @taurgis/bonsai@3.0.2
Impact
Unconsented install-time execution may mutate an AI-agent control surface or run code fetched via npx before user invocation.
Mechanism
postinstall external agent-sync command
Policy narrative
On install, package.json invokes `npx forward-nexus sync --pull` unless CI or FORWARD_NEXUS_SKIP_SYNC is set. The package also contains agent hook configurations that deny native web-fetch tools and instruct agents to run Bonsai. Although those shipped hooks are documented as examples and no direct in-package installer was found, the postinstall sync is an unconsented install-time command aimed at agent integration state.
Rationale
Static inspection confirms a postinstall external sync command tied to AI-agent hook/control-surface behavior, which meets the policy boundary for blocking unconsented install-time mutation. Other suspicious primitives are largely package-aligned, but they do not neutralize the install-time agent sync risk. Product guard normalized a concrete AI-agent control hijack publish_block to the blockable dangerous-capability shape.
Evidence
package.jsonagents/hooks/README.mdagents/hooks/claude-code/settings.jsonagents/hooks/codex/hooks.jsonagents/hooks/cursor/hooks.jsonagents/hooks/github-copilot/bonsai-web-fetch.jsondist/lib/research/browser.jsdist/lib/research/fetcher.jsbin/cli.mjsagents/hooks/claude-code/hooks/bonsai-web-fetch.shagents/hooks/codex/hooks/bonsai-web-fetch.shagents/hooks/codex/hooks/bonsai-user-prompt-context.shagents/hooks/cursor/hooks/bonsai-web-fetch.shagents/hooks/github-copilot/bonsai-web-fetch.sh

Decision evidence

public snapshot
AI called this Malicious at 86.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
  • package.json postinstall executes `npx forward-nexus sync --pull` during npm install
  • postinstall runs an external package manager command not declared in dependencies
  • Package ships agent hook configs for Claude Code, Codex, Cursor, and GitHub Copilot under agents/hooks
  • Hook configs deny native web fetch tools and route agents to `npx @taurgis/bonsai`
  • agents/hooks/README.md describes hooks as intentionally intrusive
Evidence against
  • Lifecycle has CI and FORWARD_NEXUS_SKIP_SYNC opt-out guards
  • Shipped hook files are examples per agents/hooks/README.md and are not directly installed by package source inspected
  • dist/lib/research/browser.js child_process use only locates/spawns Chrome for user-invoked rendered fetching
  • Fetch code includes DNS/private IP checks, redirects limits, content-type checks, and body limits
  • No credential harvesting, destructive behavior, or explicit exfiltration found in inspected source
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 73 file(s), 333 KB of source, external domains: bonsai.rhino-inquisitor.com, docs.nestjs.com, example.com, help.salesforce.com, news.ycombinator.com, raw.githubusercontent.com, react.dev

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.postinstall = node -e "if (process.env.CI || process.env.FORWARD_NEXUS_SKIP_SYNC) { console.log('Skipping forward-nexus sync.'); process.exit(0); } require('node:child_process').execFileSync('np...
Critical
Red Install Lifecycle Script

Install-time lifecycle script matches a deterministic static-gate block pattern.

package.jsonView on unpkg
scripts.postinstall = node -e "if (process.env.CI || process.env.FORWARD_NEXUS_SKIP_SYNC) { console.log('Skipping forward-nexus sync.'); process.exit(0); } require('node:child_process').execFileSync('np...
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
dist/lib/research/browser.jsView file
1import { spawn } from 'node:child_process'; L2: import { existsSync } from 'node:fs';
High
Child Process

Package source references child process execution.

dist/lib/research/browser.jsView on unpkg · L1
package.json#scripts.postinstallView file
1if (process.env.CI || process.env.FORWARD_NEXUS_SKIP_SYNC) { console.log('Skipping forward-nexus sync.'); process.exit(0); } require('node:child_process').execFileSync('npx', ['for...
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

package.json#scripts.postinstallView on unpkg · L1
agents/hooks/claude-code/hooks/bonsai-web-fetch.shView file
path = agents/hooks/claude-code/hooks/bonsai-web-fetch.sh kind = build_helper sizeBytes = 686 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

agents/hooks/claude-code/hooks/bonsai-web-fetch.shView on unpkg

Findings

1 Critical4 High4 Medium5 Low
CriticalRed Install Lifecycle Scriptpackage.json
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/lib/research/browser.js
HighShell
HighRuntime Package Installpackage.json#scripts.postinstall
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperagents/hooks/claude-code/hooks/bonsai-web-fetch.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License