registry  /  @utilitywarehouse/hearth-react  /  0.31.1

@utilitywarehouse/hearth-react@0.31.1

React components

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
Explicit execution of `hearth-react` / `npx @utilitywarehouse/hearth-react init-ai`
Impact
Can influence configured coding-agent behavior in the current project after an explicit user command.
Mechanism
Appends a local `SKILL.md` reference to existing agent configuration files
Rationale
Flagged as warning because an explicit CLI modifies multiple AI-agent control files, including `AGENTS.md`. Source inspection found this behavior is documented, local, and user-invoked, not malicious.
Evidence
package.jsonscripts/init-ai.jsSKILL.mdREADME.mdpublic/llms/docs/a-i-tools.mdCLAUDE.md.cursorrules.windsurfrules.clinerulesAGENTS.md.github/copilot-instructions.md

Decision evidence

public snapshot
AI called this Suspicious at 94.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `scripts/init-ai.js` is an executable CLI that appends package-controlled skill references to detected AI-assistant configuration files.
Evidence against
  • `package.json` contains no `preinstall`, `install`, `postinstall`, or `prepare` lifecycle hook.
  • No shell, child-process, eval, dynamic loading, outbound HTTP, credential harvesting, or exfiltration primitive was found in executable JS/CJS.
  • The CLI runs only through the package bin/user command and prompts before creating `CLAUDE.md` when no config exists.
Behavioral surface
Source
EnvironmentVarsFilesystem
Supply chain
MinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1,025 file(s), 676 KB of source, external domains: www.w3.org

Source & flagged code

1 flagged · loading source
scripts/init-ai.jsView file
Published source reference
Medium
Ai Review Evidence

`scripts/init-ai.js` is an executable CLI that appends package-controlled skill references to detected AI-assistant configuration files.

scripts/init-ai.jsView on unpkg

Findings

2 Medium3 Low
MediumEnvironment Vars
MediumAi Review Evidencescripts/init-ai.js
LowScripts Present
LowFilesystem
LowUrl Strings