registry  /  @theokit/sdk  /  2.25.0

@theokit/sdk@2.25.0

TypeScript SDK for the Theo agent harness — same surface, local or cloud.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. An explicit CLI can modify a caller workspace's Claude Code configuration and add permissive command allow rules. No install-time mutation, stealth persistence, or credential exfiltration was confirmed.

Static reason
No blocking static signals were detected.
Trigger
User runs `theokit-init-claude` in a project directory.
Impact
May broaden the local AI-agent command permissions after an explicit user action.
Mechanism
Copies bundled Claude Code templates and permission settings into the current workspace.
Rationale
The package is not concretely malicious, but it deliberately changes an AI-agent control surface through an explicit CLI and grants broad command permissions. Under the firewall policy, this is a warn-level agent extension lifecycle risk.
Evidence
package.jsonbin/init-claude.mjsbin/theokit-migrate-config.mjsbin/theokit-migrate-memory.mjsclaude-template/dot-claude/settings.jsondist/index.jsdist/sandbox/index.jsclaude-template/AGENTS.mdclaude-template/CLAUDE.md

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `bin/init-claude.mjs` explicitly copies `.claude` settings, skills, rules, `AGENTS.md`, and `CLAUDE.md` into the caller's workspace.
  • `claude-template/dot-claude/settings.json` grants Claude Code `Bash(npm run *)`, `Bash(pnpm *)`, and `Bash(npx *)` permissions.
  • `bin/theokit-migrate-config.mjs` writes and renames caller-selected `.theokit` configuration only with `--apply`.
  • `dist/sandbox/index.js` exposes shell execution through `/bin/sh -c` when its sandbox API is invoked.
Evidence against
  • `package.json` has no `preinstall`, `install`, `postinstall`, or `prepare` lifecycle hook.
  • The `.claude` mutation is behind the explicit `theokit-init-claude` bin command, not package installation or import.
  • The init CLI copies bundled local template files; it contains no network or payload download logic.
  • `dist/index.js` uses provider API keys and endpoints as SDK runtime configuration and includes secret-redaction logic.
  • Dynamic `createRequire` usages load declared optional integrations such as `zod`, LanceDB, and OpenTelemetry.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 53 file(s), 5.37 MB of source, external domains: api.anthropic.com, api.cohere.com, api.deepinfra.com, api.jina.ai, api.mistral.ai, api.openai.com, api.usetheo.dev, api.voyageai.com, bedrock-runtime.us-east-1.amazonaws.com, generativelanguage.googleapis.com, github.com, openrouter.ai, us-central1-aiplatform.googleapis.com, us.i.posthog.com, www.googleapis.com, your-resource.openai.azure.com

Source & flagged code

1 flagged · loading source
dist/project.cjsView file
2L3: var promises = require('fs/promises'); L4: var path = require('path');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/project.cjsView on unpkg · L2

Findings

3 Medium5 Low
MediumDynamic Requiredist/project.cjs
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings