AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.
Trigger
User runs `benjamin-docs hooks install` or `benjamin-docs mcp install`.
Impact
Configured agents may start the package CLI in that project; changes are removable with explicit uninstall commands.
Mechanism
Registers fixed local CLI hook/MCP commands and checks npm for updates.
Rationale
Source inspection found no concrete malicious chain, credential exfiltration, remote payload execution, or install-time persistence. The explicit AI-agent configuration mutation is a real capability that warrants a warning under the stated policy.
Evidence
package.jsondist/src/cli.jsdist/src/hooks.jsdist/src/mcp-install.jsdist/src/update-check.jsdist/src/git.js.claude/settings.json.codex/hooks.json.cursor/hooks.json.mcp.json.cursor/mcp.json.codex/config.toml~/.benjamin-docs/update-check.json
Network endpoints1
registry.npmjs.org/benjamin-docs/latest
Decision evidence
public snapshotAI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- Explicit `hooks install` writes project AI-agent hook configs.
- Explicit `mcp install` registers `benjamin-docs mcp` in agent configs.
- CLI performs a best-effort npm registry update check.
Evidence against
- `package.json` has no preinstall/install/postinstall lifecycle hook.
- Hook/MCP changes are only reached through explicit CLI subcommands.
- Hook commands are fixed `benjamin-docs session-start` invocations.
- No eval/vm/dynamic code loading found.
- Child processes only invoke Node self-update refresh and fixed `git` commands.
- No credential harvesting or non-registry exfiltration found.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/src/export.jsView file
1import { execFileSync } from "node:child_process";
L2: import { existsSync, readFileSync, rmSync } from "node:fs";
High
dist/src/update-check.jsView file
1import { spawn } from "node:child_process";
L2: import { mkdirSync, readFileSync, writeFileSync } from "node:fs";
...
L7: const FETCH_TIMEOUT_MS = 3000;
L8: const DEFAULT_REGISTRY_URL = "https://registry.npmjs.org/benjamin-docs/latest";
L9: export function updateChecksEnabled() {
L10: return process.env.BENJAMIN_DOCS_NO_UPDATE_CHECK !== "1";
L11: }
High
Same File Env Network Execution
A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/src/update-check.jsView on unpkg · L1Findings
3 High2 Medium4 Low
HighChild Processdist/src/export.js
HighShell
HighSame File Env Network Executiondist/src/update-check.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings