AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `theokit-init-claude`.
Impact
Adds or optionally overwrites first-party TheoKit Claude templates and command permissions in that workspace.
Mechanism
Explicit workspace AI-agent configuration copy.
Rationale
Source inspection found no malicious install/import behavior, but the explicit Claude initializer mutates AI-agent configuration and grants configured command permissions. Per policy, this is a warn-level explicit-user-command agent configuration risk rather than a block.
Evidence
package.jsonbin/init-claude.mjsclaude-template/dot-claude/settings.jsonbin/theokit-migrate-config.mjsbin/theokit-migrate-memory.mjsdist/sandbox/index.jsdist/project.cjs.claude/AGENTS.mdCLAUDE.md
Decision evidence
public snapshotAI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `bin/init-claude.mjs` explicitly copies `.claude` settings/skills and root `AGENTS.md`/`CLAUDE.md` into the caller workspace.
- The initializer runs only through the user-invoked `theokit-init-claude` bin command; it supports `--force` overwrite.
- `claude-template/dot-claude/settings.json` grants Claude Code selected npm/pnpm/npx and git commands.
Evidence against
- `package.json` contains no `preinstall`, `install`, `postinstall`, or `prepare` lifecycle hook.
- Initializer uses package-local templates and writes only the invoked working directory; no network or credential collection is present.
- Migration CLIs are explicit commands and default to dry-run or require confirmation/options before mutation.
- Reviewed dynamic imports load declared optional TheoKit modules; reviewed process spawning is runtime-configured MCP/sandbox functionality with secret-env scrubbing.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsTelemetryUrlStrings
Source & flagged code
2 flagged · loading sourcedist/project.cjsView file
2L3: var promises = require('fs/promises');
L4: var path = require('path');
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/project.cjsView on unpkg · L2dist/a2a/index.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = @theokit/sdk@2.18.1
matchedIdentity = npm:QHRoZW9raXQvc2Rr:2.18.1
similarity = 0.811
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/a2a/index.jsView on unpkgFindings
1 High3 Medium5 Low
HighPrevious Version Dangerous Deltadist/a2a/index.js
MediumDynamic Requiredist/project.cjs
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings