AI Security Review
scanned 8d ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. The package exposes a first-party AI host integration setup command that can install hooks, skills, symlinks, and MCP config entries. This is package-aligned and explicit, but it changes AI-agent control surfaces when run.
Decision evidence
public snapshot- dist/src/init/host-setup.js explicit `clad setup` wires Claude/Gemini/Codex/Cursor host integrations under user home.
- dist/src/init/host-setup.js can write ~/.codex/config.toml and ~/.cursor/mcp.json and symlink ~/.claude/plugins/cladding and ~/.agents/skills/cladding-* when invoked.
- plugins/claude-code/hooks/hooks.json registers Claude lifecycle hooks that execute `node ${CLAUDE_PLUGIN_ROOT}/dist/clad.js hook ...`.
- dist/src/init/host-setup.js attempts non-interactive `claude plugin ...` and `gemini extensions link ...` activation after explicit setup.
- package.json has no preinstall/install/postinstall; prepare only builds if dist/clad.js is absent.
- bin/clad only imports bundled dist/clad.js, falling back to `npx tsx` for development when dist is missing.
- Host config mutation is behind explicit `clad setup`/`clad update`, not npm install-time execution.
- dist/src/cli/scan/dispatcher.js and dist/src/adapters/sdk/anthropic.js use user-provided AI API keys for opt-in model dispatch, not harvesting/exfiltration.
- Scanner eval/secret/child_process hits are mostly tests, toolchain gates, git probes, or bundled dependencies.
- No hidden payload URL, credential collection loop, destructive action, or remote code loader confirmed in inspected source.
Source & flagged code
13 flagged · loading sourcePackage contains a critical-looking secret pattern.
dist/tests/stages/util.test.jsView on unpkg · L88AWS access key ID in dist/tests/stages/util.test.js
dist/tests/stages/util.test.jsView on unpkg · L88Package source references child process execution.
dist/tests/core/checkpoint.test.jsView on unpkg · L16Package source references a known benign dynamic code generation pattern.
dist/tests/stages/ai-hints-forbidden-pattern.test.jsView on unpkg · L22Package source references dynamic require/import behavior.
dist/tests/optimizer/infer-depends-on.test.jsView on unpkg · L124A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/clad.jsView on unpkg · L710Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
dist/clad.jsView on unpkg · L417Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.
dist/clad.jsView on unpkg · L6Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
dist/clad.jsView on unpkg · L6Package source invokes a package manager install command at runtime.
dist/tests/cli/graph-export-pipe.test.jsView on unpkg · L19This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/src/cli/doctor-hosts.jsView on unpkgStripe live secret key in dist/conformance/runner.js
dist/conformance/runner.jsView on unpkg · L252