AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No install-time attack surface was confirmed. An explicit codegen command can emit instructions to install a package-owned agent skill and configure a VWork MCP server, but the CLI does not apply those changes itself.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `vwork codegen skill install-curl` and separately executes its emitted shell command, or manually applies `vwork codegen mcp config-snippet` output.
Impact
A user who follows the emitted command installs a remotely fetched VWork skill into an agent skill directory.
Mechanism
Explicit agent-extension and MCP setup guidance
Rationale
Source inspection found no lifecycle-triggered or hidden malicious behavior. The package exposes explicit user-driven agent-extension setup guidance, which warrants a warning under the firewall policy.
Evidence
package.jsondist/index.jsdist/oclif-command.jsdist/codegen.jsdist/update.jsdist/auth/store.js$HOME/.agents/skills/vwork-backend-service/SKILL.md$HOME/.codex/skills/vwork-backend-service/SKILL.md
Network endpoints2
vwork.vvicat.dev/skill.mdvwork.vvicat.dev/api
Decision evidence
public snapshotAI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `dist/codegen.js` emits a curl command that installs `SKILL.md` into `$HOME/.agents` or `$HOME/.codex` after explicit user execution.
- `dist/codegen.js` emits Codex MCP configuration snippets that point to a remote VWork MCP endpoint.
Evidence against
- `package.json` has no preinstall, install, postinstall, or prepare hook.
- `dist/index.js` runs only when invoked as the `vwork` CLI.
- The skill installer only returns text; it does not execute curl or write agent configuration itself.
- `dist/update.js` runs a fixed npm/pnpm global update only after the explicit `vwork update` command.
- No eval, dynamic module loading, credential exfiltration, stealth persistence, or destructive import-time behavior was found.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
1 flagged · loading sourcedist/update.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = @vwork/cli@0.1.10
matchedIdentity = npm:QHZ3b3JrL2NsaQ:0.1.10
similarity = 0.684
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/update.jsView on unpkgFindings
1 High2 Medium5 Low
HighPrevious Version Dangerous Deltadist/update.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License