registry  /  @trackunit/iris-app  /  2.1.12

@trackunit/iris-app@2.1.12

The `@trackunit/iris-app` package is a plugin for [NX by @nrwl](https://nx.dev/). This plugin adds some helpful generators used to set up a Trackunit Iris App project.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
User runs the `preset` or `ai-agent-sync` Nx generator.
Impact
A generated workspace may load MCP servers, including floating `@latest` npx packages, when its editor/agent uses the configuration.
Mechanism
Writes AI-agent config and symlinks shared skills; registers MCP commands.
Rationale
No concrete malicious behavior was found by source inspection. The explicit generator-driven AI-agent configuration mutation is a non-blocking but meaningful capability risk.
Evidence
package.jsonsrc/generators/ai-agent-sync/generator.jssrc/generators/preset/generator.jssrc/generators/utils/link-claude-skills.jssrc/generators/preset/files/.cursor/mcp.json.cursor/mcp.json.agents/skillsAGENTS.mdCLAUDE.md.claude/skills
Network endpoints1
mcp.trackunit.ai/mcp

Decision evidence

public snapshot
AI called this Suspicious at 93.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `ai-agent-sync` explicitly writes Cursor, agent, and root AI-instruction files.
  • Generated `.cursor/mcp.json` registers two `npx -y ...@latest` MCP commands and `https://mcp.trackunit.ai/mcp`.
  • The preset/sync generators create `.claude/skills` symlink to generated agent skills.
  • Agent-config changes occur only when the user invokes an Nx generator; no package lifecycle hook exists.
Evidence against
  • `package.json` has no `scripts`, including no preinstall/install/postinstall hook.
  • Symlink helper refuses to replace an existing file, directory, or differing symlink.
  • Network code is limited to user-invoked Trackunit authentication, submission, approval, and unpublish flows.
  • No child-process, eval/vm, payload download-and-execute, credential harvesting, or stealth persistence was found.
Behavioral surface
Source
EnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 14 file(s), 62.7 KB of source, external domains: auth.trackunit.com, dev.auth.trackunit.com, dev.awsapi.trackunit.com, dev.iris.trackunit.app, identity.dev.iris.trackunit.com, identity.iris.trackunit.com, identity.stage.iris.trackunit.com, iris.trackunit.app, prod.awsapi.trackunit.com, stage.auth.trackunit.com, stage.awsapi.trackunit.com, stage.iris.trackunit.app, trackunit.com

Source & flagged code

1 flagged · loading source
cursor/mcp.jsonView file
Published source reference
Medium
Ai Review Evidence

Generated `.cursor/mcp.json` registers two `npx -y ...@latest` MCP commands and `https://mcp.trackunit.ai/mcp`.

cursor/mcp.jsonView on unpkg

Findings

6 Medium4 Low
MediumNetwork
MediumEnvironment Vars
MediumAi Review Evidence
MediumAi Review Evidencecursor/mcp.json
MediumAi Review Evidence
MediumSuspicious Lifecycle Evidence
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License