registry  /  @theokit/sdk  /  2.22.0

@theokit/sdk@2.22.0

TypeScript SDK for the Theo agent harness — same surface, local or cloud.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
User runs `theokit-init-claude` (optionally with `--force`) in a project directory.
Impact
Can alter the local AI-agent instruction and permission surface of the target project when explicitly invoked.
Mechanism
Copies bundled Claude configuration, skills, rules, and root instruction files into the invoking project.
Rationale
No malicious behavior was established by direct source inspection. Downgrade to warn because the explicit initializer can modify a project’s AI-agent control surface, despite being opt-in and first-party scoped.
Evidence
package.jsonbin/init-claude.mjsbin/theokit-migrate-config.mjsbin/theokit-migrate-memory.mjsclaude-template/dot-claude/settings.jsondist/index.cjsdist/project.cjsdist/cron.cjsclaude-template/dot-claude/skills./.claude./AGENTS.md./CLAUDE.md

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `bin/init-claude.mjs` explicitly copies package templates into the invoking project’s `.claude/`, `AGENTS.md`, and `CLAUDE.md`.
  • The init command can overwrite existing project files only when the user passes `--force`.
  • `bin/theokit-migrate-config.mjs` writes only after explicit `--apply`; `bin/theokit-migrate-memory.mjs` can remove legacy data after interactive confirmation.
Evidence against
  • `package.json` has no `preinstall`, `install`, `postinstall`, or `prepare` lifecycle hook.
  • Agent-control mutation is reachable only through the declared `theokit-init-claude` CLI, not package import or installation.
  • `bin/init-claude.mjs` copies bundled `claude-template` files and skips existing destinations by default.
  • `claude-template/dot-claude/settings.json` grants limited development commands and denies `.env` reads, sudo, and recursive deletion.
  • Observed network and environment references in bundled code implement configured LLM/provider SDK functionality; no covert exfiltration path was confirmed.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 53 file(s), 5.34 MB of source, external domains: api.anthropic.com, api.cohere.com, api.deepinfra.com, api.jina.ai, api.mistral.ai, api.openai.com, api.usetheo.dev, api.voyageai.com, bedrock-runtime.us-east-1.amazonaws.com, generativelanguage.googleapis.com, github.com, openrouter.ai, us-central1-aiplatform.googleapis.com, us.i.posthog.com, www.googleapis.com, your-resource.openai.azure.com

Source & flagged code

1 flagged · loading source
dist/project.cjsView file
2L3: var promises = require('fs/promises'); L4: var path = require('path');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/project.cjsView on unpkg · L2

Findings

3 Medium5 Low
MediumDynamic Requiredist/project.cjs
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings