registry  /  @uge/payo  /  1.2.0

@uge/payo@1.2.0

CLI tool to generate AI rules and skills for your project

AI Security Review

scanned 8d ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs `payo` or `npx @uge/payo` and chooses generation options.
Impact
Can modify project-local AI guidance files and, for selected assistant backends, delegate writing to local AI agents with permissive flags.
Mechanism
interactive AI guidance generator and local assistant CLI launcher
Policy narrative
The package is an interactive CLI for creating AI assistant guidance. When invoked by the user it may write project-local agent config files and spawn installed assistant CLIs such as claude, codex, cursor-agent, copilot, or agy. Some spawned commands use permission-bypass flags, which is risky, but this is not delivered through npm lifecycle execution and is aligned with the documented purpose.
Rationale
Source inspection shows a documented, user-invoked AI guidance generator with risky agent-facing capabilities but no unconsented install-time mutation, credential harvesting, exfiltration, persistence, or package-owned remote command channel. Because it can launch local AI tools with permissive flags and write broad agent control files, warn rather than mark fully clean.
Evidence
package.jsondist/index.jsREADME.mdCLAUDE.md.claude/skills/**.cursorrules.cursor/rules/**.github/copilot-instructions.md.github/instructions/**AGENTS.md.agents/skills/**.windsurfrulesAI_RULES.md.payo/**bootstrap-prompt.md

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/index.js defines user-invoked CLI generation of AI assistant files: CLAUDE.md, .claude/skills, .cursor/rules, AGENTS.md, .agents/skills, .github/instructions.
  • dist/index.js spawns local assistant CLIs via child_process.spawn for selected tools.
  • Claude and Antigravity agent args include permission-bypass flags when the user selects AI generation.
  • dist/index.js reads existing project manifests and directory listings for stack detection.
Evidence against
  • package.json has no install/postinstall lifecycle hook; prepack is publish-time build only.
  • CLI writes are bounded to process.cwd() by pX refusing paths outside the project directory.
  • No package-owned network endpoint or exfiltration flow found; network mentions are README badges/images and external assistant CLIs.
  • README documents that the tool writes assistant guidance files and may drive locally installed AI CLIs.
  • Static generation falls back to templates and does not require remote code or package server contact.
Behavioral surface
Source
ChildProcessEnvironmentVarsEvalFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 476 KB of source, external domains: github.com, json-schema.org

Source & flagged code

4 flagged · loading source
dist/index.jsView file
177`)} L178: ---`}var G_={id:"cursor",displayName:"Cursor",knownArtifacts:[".cursorrules",".cursor/rules"],generate:(r)=>[{path:".cursorrules",content:gr("Cursor Rules",r.sections)}],agent:{bin... L179: `),b=v.map((z)=>`- ${z}: one of [${gb(z,g).join(", ")}]`).join(`
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L177
177`)} L178: ---`}var G_={id:"cursor",displayName:"Cursor",knownArtifacts:[".cursorrules",".cursor/rules"],generate:(r)=>[{path:".cursorrules",content:gr("Cursor Rules",r.sections)}],agent:{bin... L179: `),b=v.map((z)=>`- ${z}: one of [${gb(z,g).join(", ")}]`).join(` ... L182: `),"Review your stack"),await g()==="generate")return v;let i=xX(r,v),u=await $(i);if(!u)continue;let I=i.find((U)=>U.id===u);if(!I)continue;if(I.kind==="gate")v=mX(r,v,u);else{let... L183: `),`Recommended ${g.title} settings`)}let b=await vv({id:g.id,type:"select",message:`${g.title} — how to proceed?`,options:U,allowOther:!1},v.answers);v=dr(v,g.id,b),I=Db(b)}if(I==... L184: `)}];var sN={id:"tailwind",title:"Tailwind CSS",category:"styling",appliesTo:(r)=>r.stylingLibrary==="tailwind",questions:()=>[{id:"tailwind.config",type:"select",summary:"Config s...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.jsView on unpkg · L177
167`)});let s=[],m=Wr(r,"formatter");if(m)s.push(`- Formatter: ${m}`);let S=Wr(r,"linter");if(S)s.push(`- Linter: ${S}`);if(s.length)v.push({title:"Tooling",body:s.join(` L168: `)});let O=Wr(r,"gitWorkflow");if(O){let V=[`Follow the ${O} workflow.`,"- Maintain a comprehensive .gitignore (build output, dependencies, environment/secret files, OS/editor arti... L169: `)})}v.push(...Y_(r));let y=Object.keys(r).filter((V)=>V.includes(".")&&r[V]!==void 0&&r[V]!=="").map((V)=>`- ${jX(V)}: ${JX(r[V])}`);if(y.length)v.push({title:"Tech Details",body:... ... L177: `)} L178: ---`}var G_={id:"cursor",displayName:"Cursor",knownArtifacts:[".cursorrules",".cursor/rules"],generate:(r)=>[{path:".cursorrules",content:gr("Cursor Rules",r.sections)}],agent:{bin... L179: `),b=v.map((z)=>`- ${z}: one of [${gb(z,g).join(", ")}]`).join(` ... L182: `),"Review your stack"),await g()==="generate")return v;let i=xX(r,v),u=await $(i);if(!u)continue;let I=i.find((U)=>U.id===u);if(!I)continue;if(I.kind==="gate")v=mX(r,v,u);else{let... L183: `),`Recommended ${g.title} settings`)}let b=await vv({id:g.id,type:"select",message:`${g.title} — how to proceed?`,options:U,allowOther:!1},v.answers);v=dr(v,g.id,b),I=Db(
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.jsView on unpkg · L167
83${I} L84: `}}}}).prompt();import pv from"fs";import TW from"path";import{randomUUID as lW}from"crypto";var Qr={};Tr(Qr,{xor:()=>BD,xid:()=>nD,void:()=>OD,uuidv7:()=>d0,uuidv6:()=>y0,uuidv4:(... L85: `)}var O$=(r)=>(v,n,g,$)=>{let i=g?{...g,async:!1}:{async:!1},u=v._zod.run({value:n,issues:[]},i);if(u instanceof Promise)throw new or;if(u.issues.length){let I=new($?.Err??r)(u.is...
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/index.jsView on unpkg · L83

Findings

3 High2 Medium5 Low
HighChild Processdist/index.js
HighSame File Env Network Executiondist/index.js
HighCommand Output Exfiltrationdist/index.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowEvaldist/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings