AI Security Review
scanned 1d ago · by lpm-firewall-aiInstall-time script mutates Claude/AI-agent control surfaces by installing package-supplied skills and registering MCP servers. This gives the package persistent invocation paths in future AI-agent sessions without an explicit runtime command from the user.
Decision evidence
public snapshot- package.json defines postinstall: node scripts/postinstall.js.
- scripts/postinstall.js copies package skills into ~/.claude/skills/sidecar and ~/.claude/skills/second-opinion.
- scripts/postinstall.js registers MCP servers in Claude Code/Desktop configs, including fallback writes to ~/.claude.json and claude_desktop_config.json.
- MCP config uses command npx with args ['-y','amicus@latest','mcp'], causing future agent sessions to invoke this package.
- skills/sidecar/SKILL.md contains agent-triggering instructions to spawn amicus commands and use Build mode with full tool access.
- Postinstall is visible in package.json, best-effort, and can be skipped with AMICUS_SKIP_POSTINSTALL=1.
- Network/API code appears aligned with an LLM sidecar tool rather than credential exfiltration.
- Credential loader reads known provider keys into process.env for model access and does not show outbound exfiltration by itself.
- MCP server constrains explicit project roots before spawning sidecar sessions.
Source & flagged code
5 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgPackage source references dynamic require/import behavior.
bin/amicus.jsView on unpkg · L13Install-time source drops package-supplied AI-agent/MCP control files or instructions.
scripts/postinstall.jsView on unpkg · L5This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
src/mcp-server.jsView on unpkg