AI Security Review
scanned 2d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a shared code-generation library that emits MCP host/runtime files and project stubs when its exported helpers are invoked.
Static reason
No blocking static signals were detected.
Trigger
npm postinstall runs husky; runtime behavior requires importing ./codegen helpers or running generated hosts
Impact
User-invoked file generation and local server hosting; no observed credential exfiltration or AI-agent control hijack
Mechanism
code generation helpers, local env loading, generated local HTTP MCP server templates
Rationale
Static inspection found lifecycle and code-generation primitives, but they are package-aligned and user-invoked with no concrete malicious chain. The postinstall husky hook is not an AI-agent control-surface mutation and no exfiltration, remote code execution, or stealth persistence was found.
Evidence
package.jsonout/codegen/index.jsout/codegen/project-bootstrap.jsout/codegen/render-http-mcp-server.jsout/codegen/render-oauth-http-mcp-server.jsout/codegen/render-mcp-host-shared.jsout/codegen/mcp-host-product-runtime.jsout/scripts/render-kill-listeners-on-port.mjs.jsout/codegen/auth-stub-bootstrap.jsout/codegen/logging-adapter-bootstrap.jsout/codegen/write-demos-test-support.js
Decision evidence
public snapshotAI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
- package.json defines postinstall "husky", an install-time lifecycle command
- out/scripts/render-kill-listeners-on-port.mjs.js renders a user-invoked helper using execSync to run lsof/ps/kill
- out/codegen/project-bootstrap.js and auth/logging bootstrap files write generated project files when called
Evidence against
- package.json exports only ./codegen and has no bin entrypoint
- No preinstall/install/postinstall code in package source writes AI-agent config or exfiltrates data
- Network code in out/codegen/render-http-mcp-server.js and render-oauth-http-mcp-server.js renders user-run local MCP HTTP servers
- Env and credential handling is for generated MCP host auth/base URL context, not harvesting or outbound transmission
- No hardcoded external exfiltration endpoint, dynamic remote payload loading, eval/vm, persistence, or destructive install behavior found
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = husky
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkgFindings
1 High2 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings