registry  /  @theokit/sdk  /  2.13.0

@theokit/sdk@2.13.0

TypeScript SDK for the Theo agent harness — same surface, local or cloud.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
User runs `theokit-init-claude` (optionally with `--force`).
Impact
Can broaden permitted shell actions for Claude Code in that project and add agent instructions.
Mechanism
Copies packaged Claude configuration and prompt templates into the workspace.
Rationale
The package contains an explicit CLI that mutates a Claude Code control surface, which warrants a warning under the stated policy. It lacks lifecycle hooks and no concrete malicious behavior was established.
Evidence
package.jsonbin/init-claude.mjsclaude-template/dot-claude/settings.jsonclaude-template/AGENTS.mdclaude-template/CLAUDE.md.claude/**AGENTS.mdCLAUDE.md

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `bin/init-claude.mjs` explicitly copies `.claude` templates into the caller workspace.
  • It also writes root `AGENTS.md` and `CLAUDE.md` when absent, or overwrites them with `--force`.
  • `claude-template/dot-claude/settings.json` grants Claude Code `Bash(npm run *)`, `Bash(pnpm *)`, and `Bash(npx *)`.
Evidence against
  • `package.json` has no `preinstall`, `install`, `postinstall`, or `prepare` lifecycle hook.
  • The control-surface mutation occurs only through the user-invoked `theokit-init-claude` binary.
  • Template settings deny `.env*` reads, `sudo`, and `rm -rf`.
  • No credential harvesting, covert exfiltration, remote payload execution, or hidden persistence was confirmed.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 55 file(s), 4.91 MB of source, external domains: api.anthropic.com, api.cohere.com, api.deepinfra.com, api.jina.ai, api.mistral.ai, api.openai.com, api.usetheo.dev, api.voyageai.com, bedrock-runtime.us-east-1.amazonaws.com, generativelanguage.googleapis.com, github.com, openrouter.ai, us-central1-aiplatform.googleapis.com, us.i.posthog.com, www.googleapis.com, your-resource.openai.azure.com

Source & flagged code

1 flagged · loading source
dist/project.cjsView file
2L3: var promises = require('fs/promises'); L4: var path = require('path');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/project.cjsView on unpkg · L2

Findings

3 Medium5 Low
MediumDynamic Requiredist/project.cjs
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings