AI Security Review
scanned 3d ago · by lpm-firewall-aiThe package mutates Claude/AI-agent control surfaces during npm postinstall. It installs package-supplied skills and registers an MCP server that runs amicus via npx.
Decision evidence
public snapshot- package.json defines postinstall: node scripts/postinstall.js.
- scripts/postinstall.js copies package skills into ~/.claude/skills/sidecar and ~/.claude/skills/second-opinion at install time.
- scripts/postinstall.js registers MCP servers in Claude Code/Desktop configs, falling back to writes to ~/.claude.json and claude_desktop_config.json.
- Registered MCP command is npx -y amicus@latest mcp, giving the package an AI-agent tool/control surface after install.
- postinstall invokes claude mcp add-json when available, modifying user-scoped Claude Code configuration without an explicit runtime command.
- Postinstall setup is documented in comments and logs, and failures are non-fatal.
- Electron provisioning defaults to cache-only; networked Electron prewarm requires AMICUS_PREFETCH_ELECTRON=1.
- bin/amicus.js credential loading appears tied to CLI operation, not automatic exfiltration.
- No credential harvesting or exfiltration endpoint was confirmed in inspected files.
Source & flagged code
5 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgPackage source references dynamic require/import behavior.
bin/amicus.jsView on unpkg · L13Install-time source drops package-supplied AI-agent/MCP control files or instructions.
scripts/postinstall.jsView on unpkg · L5This package version adds a dangerous source file absent from the previous stored version.
src/sidecar/electron-install.jsView on unpkg