AI Security Review
scanned 4h ago · by lpm-firewall-aiLPM blocks this version under the AI-agent control-surface policy. Installation mutates a consumer project's AI-agent instruction file without consent. The added pointer can influence subsequent agent behavior through package-supplied instructions.
Decision evidence
public snapshot- package.json runs postinstall automatically.
- scripts/postinstall.mjs locates consumer project root.
- It appends to or creates CLAUDE.md or AGENTS.md.
- Injected text directs agents to package-controlled AGENTS.md.
- No network, shell, eval, or payload loading found.
- dist/index.js is a React UI component bundle.
- Font files are valid WOFF2 assets.
Source & flagged code
6 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgInstall-time source drops package-supplied AI-agent/MCP control files or instructions.
scripts/postinstall.mjsView on unpkg · L3Manifest entrypoint contains risky behavior absent from dist/build output.
scripts/postinstall.mjsView on unpkg · L25Source fingerprint signature matches a known malicious package signature; route for source-aware review.
scripts/postinstall.mjsView on unpkgPackage ships high-entropy non-source blobs.
dist/fonts/Struve-Medium.woff2View on unpkg