AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Decision evidence
public snapshot- `dist/setup-ZnQXTEP-.mjs` explicitly configures IDE agents.
- `dist/ide-DPDVYiaq.mjs` writes MCP configs invoking `npx contentrain serve --stdio`.
- `dist/ide-DPDVYiaq.mjs` installs always-applied rules/skills and can commit them to the project.
- `dist/client-CJsHr9Db.mjs` sends authenticated Studio API requests to `https://studio.contentrain.io`.
- `package.json` contains no preinstall/install/postinstall lifecycle hook.
- CLI entrypoint `dist/index.mjs` only dispatches named user commands.
- Agent configuration is limited to project-local IDE paths and requires `setup`, `skills`, or init flow.
- No credential harvesting, unrelated exfiltration, remote payload execution, or stealth persistence was found.
Source & flagged code
4 flagged · loading source`dist/setup-ZnQXTEP-.mjs` explicitly configures IDE agents.
dist/setup-ZnQXTEP-.mjsView on unpkg`dist/ide-DPDVYiaq.mjs` writes MCP configs invoking `npx contentrain serve --stdio`.
dist/ide-DPDVYiaq.mjsView on unpkg`dist/ide-DPDVYiaq.mjs` installs always-applied rules/skills and can commit them to the project.
dist/ide-DPDVYiaq.mjsView on unpkg`dist/client-CJsHr9Db.mjs` sends authenticated Studio API requests to `https://studio.contentrain.io`.
dist/client-CJsHr9Db.mjsView on unpkg