AI Security Review
scanned 3h ago · by lpm-firewall-aiLPM blocks this version under the AI-agent control-surface policy. Install-time code mutates AI-agent instruction files in the consuming project. It writes an instruction pointer to this package's own AGENTS file without an explicit user command.
Decision evidence
public snapshot- `package.json` runs `node scripts/postinstall.mjs` automatically on dependency installation.
- `scripts/postinstall.mjs` selects the consumer-root `CLAUDE.md` or `AGENTS.md` and creates or appends it.
- The injected block directs an AI agent to follow package-controlled `node_modules/artefact-design-system/AGENTS.md`.
- The mutation is automatic, targets a foreign project control surface, and is suppressed only by broad error handling.
- `scripts/postinstall.mjs` contains no network, subprocess, eval, or credential-harvesting behavior.
- `dist/index.js` imports UI/runtime dependencies and shows no Node filesystem or shell access.
- Bundled `.woff2` files identify as normal WOFF2 fonts.
Source & flagged code
6 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgInstall-time source drops package-supplied AI-agent/MCP control files or instructions.
scripts/postinstall.mjsView on unpkg · L3Manifest entrypoint contains risky behavior absent from dist/build output.
scripts/postinstall.mjsView on unpkg · L25Source fingerprint signature matches a known malicious package signature; route for source-aware review.
scripts/postinstall.mjsView on unpkgPackage ships high-entropy non-source blobs.
dist/fonts/Struve-Medium.woff2View on unpkg