registry  /  @utilitywarehouse/hearth-react-native  /  0.35.0

@utilitywarehouse/hearth-react-native@0.35.0

Utility Warehouse React Native UI library

AI Security Review

scanned 4h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
User runs `npx @utilitywarehouse/hearth-react-native init-ai`.
Impact
Can influence configured coding agents to load the package's component-library guidance.
Mechanism
User-invoked append-only AI-agent config mutation.
Rationale
The explicit command mutates AI-agent configuration and therefore warrants a warning under the supplied policy, but there is no concrete malicious execution chain. It should not be publish-blocked.
Evidence
package.jsonscripts/init-ai.jsSKILL.mdREADME.mdCLAUDE.md.cursorrules.windsurfrules.clinerulesAGENTS.md.github/copilot-instructions.md

Decision evidence

public snapshot
AI called this Suspicious at 95.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `scripts/init-ai.js` is an executable bin that scans and appends to AI-agent config files.
  • It can modify `CLAUDE.md`, `AGENTS.md`, Cursor, Windsurf, Cline/Roo, and Copilot instruction files.
  • The appended references direct agents to the package-owned `SKILL.md`.
Evidence against
  • `package.json` has no `preinstall`, `install`, `postinstall`, or `prepare` hook.
  • The mutation occurs only through the explicit `npx @utilitywarehouse/hearth-react-native init-ai` command.
  • No child-process, eval, dynamic loading, credential harvesting, or package-code network calls were found.
  • `SKILL.md` is component-library guidance; no secret-exfiltration or destructive instructions were found.
  • No native binaries, archives, or bytecode payloads were present.
Behavioral surface
Source
Filesystem
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 682 file(s), 915 KB of source

Source & flagged code

1 flagged · loading source
scripts/init-ai.jsView file
Published source reference
Medium
Ai Review Evidence

`scripts/init-ai.js` is an executable bin that scans and appends to AI-agent config files.

scripts/init-ai.jsView on unpkg

Findings

3 Medium2 Low
MediumAi Review Evidencescripts/init-ai.js
MediumAi Review Evidence
MediumAi Review Evidence
LowScripts Present
LowFilesystem