AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `theokit-init-claude` in a project directory.
Impact
A user-invoked setup can expand Claude Code's permitted local command surface in that project.
Mechanism
Explicit AI-agent configuration and instruction-template copy.
Rationale
The package is not concretely malicious, but it has a real user-invoked AI-agent control-surface mutation that grants command permissions. Per policy, this is a non-blocking warning rather than a publish block.
Evidence
package.jsonbin/init-claude.mjsclaude-template/dot-claude/settings.jsondist/sandbox/index.jsbin/theokit-migrate-config.mjsbin/theokit-migrate-memory.mjsclaude-template/AGENTS.mdclaude-template/CLAUDE.md
Decision evidence
public snapshotAI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `bin/init-claude.mjs` explicitly writes `.claude/`, `AGENTS.md`, and `CLAUDE.md` into the current project.
- Its template settings allow package-manager shell commands for Claude Code.
- `dist/sandbox/index.js` provides user-invoked shell execution via `/bin/sh -c`.
- `bin/theokit-migrate-memory.mjs` can delete a workspace SQLite file only after an interactive confirmation.
Evidence against
- `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
- Claude configuration changes require explicit `theokit-init-claude` invocation.
- `bin/theokit-migrate-config.mjs` defaults to dry-run and requires `--apply` to write.
- The Claude template denies `.env` reads, `sudo`, and `rm -rf`; no credential exfiltration or hidden endpoint was found.
- Dynamic module loading in `dist/index.cjs` targets declared optional integrations.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsTelemetryUrlStrings
Source & flagged code
2 flagged · loading sourcedist/project.cjsView file
2L3: var promises = require('fs/promises');
L4: var path = require('path');
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/project.cjsView on unpkg · L2dist/sandbox/index.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = @theokit/sdk@2.15.2
matchedIdentity = npm:QHRoZW9raXQvc2Rr:2.15.2
similarity = 0.930
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/sandbox/index.jsView on unpkgFindings
1 High3 Medium5 Low
HighPrevious Version Dangerous Deltadist/sandbox/index.js
MediumDynamic Requiredist/project.cjs
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings