registry  /  audit-tools  /  0.30.49

audit-tools@0.30.49

Portable hybrid code auditing + remediation orchestrators for arbitrary repositories.

AI Security Review

scanned 4d ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Confirmed install-time mutation of AI-agent control surfaces in the user's home directory. The lifecycle hook installs global commands, skills, plugin manifests, and OpenCode permissions without an explicit runtime command from the operator.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
npm install / package postinstall
Impact
Global Claude/Codex/OpenCode/Antigravity behavior and permissions can be changed during dependency installation.
Mechanism
unconsented lifecycle AI-agent control-surface mutation
Policy narrative
On installation, package.json invokes scripts/postinstall.mjs, which launches audit and remediate deployers. Those scripts copy prompts/skills into global Claude and Codex locations, install Antigravity plugins, and merge OpenCode command/agent permission config, including broad auditor permissions. This modifies AI-agent command surfaces and permissions as a dependency lifecycle side effect rather than a user-invoked setup command.
Rationale
The source confirms install-time writes to global AI-agent configuration and permission surfaces, which is a concrete unconsented control-surface mutation. Scanner concerns about runtime command execution are package-aligned, but the lifecycle behavior alone warrants blocking. Product guard normalized a non-low false-positive publish_block request to warn-only suspicious.
Evidence
package.jsonscripts/postinstall.mjsscripts/audit/postinstall.mjsscripts/remediate/postinstall.mjsdist/audit/orchestrator/runtimeCommand.jsaudit-code.mjsremediate-code.mjs~/.claude/commands/audit-code.md~/.claude/commands/remediate-code.md~/.codex/skills/audit-code/SKILL.md~/.codex/skills/remediate-code/SKILL.md~/.config/opencode/opencode.json~/.gemini/config/plugins/audit-code/plugin.json~/.gemini/config/plugins/remediate-code/plugin.json.gitignore
Network endpoints1
github.com/OhOkThisIsFine/audit-tools

Decision evidence

public snapshot
AI called this Suspicious at 95.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for policy block
  • package.json runs postinstall: node scripts/postinstall.mjs.
  • scripts/postinstall.mjs runs audit and remediate postinstall child scripts at install time.
  • scripts/audit/postinstall.mjs writes global Claude/Codex/OpenCode/Antigravity agent assets under homedir.
  • scripts/audit/postinstall.mjs seeds OpenCode auditor permissions including external_directory '*' allow and broad bash allow rules.
  • scripts/remediate/postinstall.mjs writes global remediator commands/skills and OpenCode config.
  • scripts/postinstall.mjs may update consuming repo .gitignore and probes gh repo view.
Evidence against
  • No credential harvesting or exfiltration endpoint found in inspected install scripts.
  • RuntimeCommand.js only runs operator-provided validation commands and strips Claude Code env vars.
  • Bin wrappers delegate to package dist or build/package CLI behavior.
  • Network URLs observed are repository/homepage metadata, not exfiltration endpoints.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 426 file(s), 2.94 MB of source, external domains: api.anthropic.com, api.github.com, chatgpt.com, cloudcode-pa.googleapis.com, console.anthropic.com, github.com, json-schema.org, opencode.ai

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
wrapper/audit-code-wrapper-lib.mjsView file
203const distUrl = new URL(`file:///${distCliEntry.replace(/\\/g, '/')}`); L204: const cli = await import(distUrl.href); L205: await cli.runCli([process.execPath, distCliEntry, commandName, ...commandArgs]);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

wrapper/audit-code-wrapper-lib.mjsView on unpkg · L203
dist/audit/orchestrator/reviewPackets.jsView file
68let current = []; L69: const verbose = Boolean(process.env.AUDIT_CODE_VERBOSE); L70: for (const task of tasks.sort(compareTasksForPacket)) { ... L79: if (verbose) { L80: process.stderr.write(`[audit-code:packet-planning] isolated large-file chunk: task="${task.task_id}" file="${task.file_paths[0]}" estimatedTokens=${taskEstimatedTokens} targetPacke... L81: }
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/audit/orchestrator/reviewPackets.jsView on unpkg · L68
dist/audit/orchestrator/runtimeCommand.jsView file
matchType = previous_version_dangerous_delta matchedPackage = audit-tools@0.30.51 matchedIdentity = npm:YXVkaXQtdG9vbHM:0.30.51 similarity = 0.858 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/audit/orchestrator/runtimeCommand.jsView on unpkg

Findings

1 Critical1 High5 Medium7 Low
CriticalPrevious Version Dangerous Deltadist/audit/orchestrator/runtimeCommand.js
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirewrapper/audit-code-wrapper-lib.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/audit/orchestrator/reviewPackets.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License