registry  /  berserqir  /  0.7.7

berserqir@0.7.7

Berserqir — the agent legion harness. SDD + hierarchical memory + agentic loop + behavioral evals, portable across GitHub Copilot, Claude Code and Cursor.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. An explicit `berserqir install` deploys a project-local agent harness and registers first-party hooks for Copilot, Claude Code, or Cursor. Those hooks can run local guard scripts and, at stop time, the project's configured verification commands. No install-time execution or confirmed data-exfiltration chain was found.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `berserqir install` or `berserqir update` against a project.
Impact
Agent behavior and project-session commands can be gated; target-project lint/typecheck may execute during later agent sessions.
Mechanism
Explicit project-local AI-agent hook installation with local subprocess checks.
Rationale
Source inspection confirms a user-invoked, project-local agent extension installer rather than the scanner's claimed malware chain. Warn because its installed hooks can control AI-agent sessions and execute target-project verification commands, but do not block absent unconsented lifecycle installation or concrete malicious behavior.
Evidence
package.jsonbin/berserqir.jsadapters/copilot/compile.mjsadapters/claude-code/compile.mjsadapters/cursor/compile.mjscore/hooks/session-verify/session-verify.mjscore/hooks/update-check/update-check.mjsadapters/copilot/hook-adapter.mjsadapters/claude-code/hook-adapter.mjsadapters/cursor/hook-adapter.mjs.github/hooks/berserqir.json.claude/settings.json.cursor/hooks.json.berserqir/hooks

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • Explicit `install` compiles and writes AI-agent hook configs into the selected project.
  • Claude/Cursor adapters register hooks that execute vendored Node guard scripts on agent events.
  • `session-verify` can run the target project's existing npm/npx typecheck or lint at agent-session stop.
  • `update-check` detaches an `npm view berserqir version` refresh after installed hooks run.
Evidence against
  • `package.json` has no preinstall, install, or postinstall lifecycle hook.
  • Writes require an explicit CLI install/update action and target project directory; modified files need consent unless `--force`.
  • No credential exfiltration, remote payload download/execution, eval/vm use, or foreign/global agent-config paths found.
  • Hook code is package-aligned safety, memory, and quality enforcement; scanner child-process signals map to these local functions.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 20 file(s), 140 KB of source

Source & flagged code

3 flagged · loading source
core/hooks/session-verify/session-verify.mjsView file
22import { readFileSync, existsSync } from 'node:fs' L23: import { spawnSync } from 'node:child_process' L24: import { join, resolve, sep } from 'node:path'
High
Child Process

Package source references child process execution.

core/hooks/session-verify/session-verify.mjsView on unpkg · L22
bin/berserqir.jsView file
4// Usage: L5: // npx berserqir install [--profiles front,back,ops,infra] [--dir <target>] [--yes] [--force] [--dry-run] L6: // npx berserqir update | version | help ... L15: const crypto = require('node:crypto') L16: const { spawnSync } = require('node:child_process') L17: const readline = require('node:readline/promises')
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/berserqir.jsView on unpkg · L4
adapters/copilot/hook-adapter.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = berserqir@0.6.9 matchedIdentity = npm:YmVyc2VycWly:0.6.9 similarity = 0.700 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

adapters/copilot/hook-adapter.mjsView on unpkg

Findings

1 Critical3 High2 Medium3 Low
CriticalPrevious Version Dangerous Deltaadapters/copilot/hook-adapter.mjs
HighChild Processcore/hooks/session-verify/session-verify.mjs
HighShell
HighRuntime Package Installbin/berserqir.js
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings