AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.
Trigger
User runs `theokit-init-claude` after installation.
Impact
Adds project-local AI-agent instructions and command allowlists; no stealth persistence, credential exfiltration, or foreign control-surface mutation was confirmed.
Mechanism
Explicit CLI copies first-party Claude Code templates into the current project.
Rationale
The package is not malicious by source inspection: it has no lifecycle hook, remote payload execution, or credential-exfiltration path. Per policy, the explicit Claude Code configuration mutation is a warn-level AI-agent capability risk.
Evidence
package.jsonbin/init-claude.mjsbin/theokit-migrate-config.mjsbin/theokit-migrate-memory.mjsclaude-template/dot-claude/settings.jsondist/index.jsdist/project.jsclaude-template/AGENTS.mdclaude-template/CLAUDE.md.claude/AGENTS.mdCLAUDE.md
Network endpoints2
api.usetheo.devus.i.posthog.com
Decision evidence
public snapshotAI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `bin/init-claude.mjs` explicitly copies bundled Claude configuration into the caller's `.claude/` plus root `AGENTS.md` and `CLAUDE.md`.
- `claude-template/dot-claude/settings.json` grants Claude Code selected npm/pnpm/npx and git Bash permissions when the explicit init CLI is run.
Evidence against
- `package.json` has no `preinstall`, `install`, `postinstall`, or `prepare` lifecycle hook.
- The agent-control mutation is only reachable through the user-invoked `theokit-init-claude` bin command.
- `bin/init-claude.mjs` performs local copy operations only; no network, shell, or child-process execution.
- Template settings deny `.env` reads, `sudo`, and `rm -rf` commands.
- `dist/index.js` loads optional telemetry modules with guarded `safeRequire`; no remote code loading or eval/vm primitive was found.
- `dist/index.js` network hosts are SDK/provider endpoints and its child-process helper scrubs secret-like environment variables by default.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsTelemetryUrlStrings
Source & flagged code
1 flagged · loading sourcedist/project.cjsView file
2L3: var promises = require('fs/promises');
L4: var path = require('path');
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/project.cjsView on unpkg · L2Findings
3 Medium5 Low
MediumDynamic Requiredist/project.cjs
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings