AI Security Review
scanned 1d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The package is an agent setup CLI that can modify AI-agent MCP and Claude settings only when the user runs commands to apply recommendations.
Decision evidence
public snapshot- User-invoked CLI can write AI-agent config files: .mcp.json, .claude/settings.json, .cursor/mcp.json, .gemini/settings.json, opencode.json, .codex/config.toml, ~/.openclaw/openclaw.json.
- Catalog MCP entries include runtime package launchers such as npx -y and some @latest package args in plugins/loadout/catalog/mcp.json.
- Catalog hooks add Claude Code shell commands to .claude/settings.json for formatting, linting, secret-read blocking, and git-push blocking.
- package.json has no install/postinstall/prepare lifecycle hook; prepublishOnly only runs tests before publishing.
- cli/index.js requires explicit CLI actions, interactive confirmation, --all, --fix, --ids, or manifest apply before writes occur.
- cli/lib/apply.mjs and cli/lib/targets.mjs only merge selected catalog entries into documented agent config paths; no stealth persistence or destructive logic found.
- cli/lib/doctor.mjs uses child_process only for commandExists via which/where during user-invoked audit, not to execute package payloads.
- No credential harvesting or exfiltration code found; token strings are placeholders or user warnings.
- Skills/reference items are printed as manual install commands rather than auto-installed.
Source & flagged code
4 flagged · loading sourceThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
cli/lib/doctor.mjsView on unpkgPackage source invokes a package manager install command at runtime.
cli/lib/doctor.mjsView on unpkg · L427