registry  /  create-snipara  /  2.0.9

create-snipara@2.0.9

Onboard Snipara Hosted MCP Context + Memory with auth, companion workflows, and optional Snipara Sandbox

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious lifecycle or import-time attack was found. The package is a user-invoked AI/MCP onboarding CLI that can write broad project AI-agent configuration and optional Claude hooks, which is agent-control-surface risk but package-aligned.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs create-snipara/init/repair/upgrade CLI commands.
Impact
Could alter AI-agent behavior in the current project and optionally route hook context through Snipara companion tooling after user-selected setup.
Mechanism
project MCP/agent config generation with optional local hooks
Attack narrative
The CLI onboards a project to Snipara Hosted MCP, creates project-scoped MCP and agent instruction files, and may install Claude Code hooks when advanced/companion profiles enable hooks. This is sensitive AI-agent surface mutation, but inspection shows it is user-invoked, documented, package-aligned, and not delivered through npm install lifecycle execution.
Rationale
Static inspection does not support a malicious verdict: there is no install-time execution, credential harvesting, remote code execution, or unconsented foreign agent takeover. Because the package can configure broad AI-agent surfaces and optional hooks, warn rather than mark clean.
Evidence
package.jsonREADME.mddist/index.js.mcp.jsonAGENTS.mdCLAUDE.md.cursor/rules/snipara.mdc.codex/config.toml.snipara/project.snipara/templates/*.snipara/companion/config.json.snipara/companion/doctor.json.snipara/activation/manifest.json.snipara/activation/handoff.md.snipara/activation/memory-candidates.json.claude/settings.json.claude/hooks/snipara-stuck-guard.sh.claude/hooks/snipara-startup.sh.claude/hooks/snipara-session.sh
Network endpoints4
www.snipara.com/api/oauth/device/codewww.snipara.com/api/oauth/device/tokenwww.snipara.com/api/cli/projects/{projectSlug}/automation-clientapi.snipara.com/mcp/{projectSlug}

Decision evidence

public snapshot
AI called this Suspicious at 84.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/index.js user-invoked init writes project agent control files: AGENTS.md, CLAUDE.md, .codex/config.toml, .cursor/rules/snipara.mdc, .mcp.json.
  • dist/index.js optional/advanced Claude Code hooks write .claude/settings.json and .claude/hooks scripts that receive tool input/output and call snipara-companion.
  • dist/index.js sends device auth and hosted MCP/automation requests to snipara.com/api.snipara.com using user-provided or device-flow API keys.
Evidence against
  • package.json has no install/postinstall/prepare hook; prepublishOnly only runs npm run build for publisher-side packaging.
  • dist/index.js behavior is exposed through the create-snipara CLI/init/repair/upgrade commands, not import-time execution.
  • Default profile is hosted-only; companion, sandbox, orchestrator, and hooks require advanced profile/options or selected profiles.
  • Network endpoints and written configs are Snipara product-aligned and documented in README.md.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 206 KB of source, external domains: api.snipara.com, github.com, snipara.com, www.snipara.com

Source & flagged code

2 flagged · loading source
dist/index.jsView file
9import path from "path"; L10: import { execSync, spawn } from "child_process"; L11: import { homedir } from "os"; L12: L13: // package.json L14: var package_default = { ... L60: type: "git", L61: url: "git+https://github.com/Snipara/create-snipara.git" L62: }, ... L134: function getActivationDir() { L135: return path.join(process.cwd(), ".snipara", "activation"); L136: }
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/index.jsView on unpkg · L9
9Trigger-reachable chain: manifest.main -> dist/index.js L9: import path from "path"; L10: import { execSync, spawn } from "child_process"; L11: import { homedir } from "os"; L12: L13: // package.json L14: var package_default = { ... L60: type: "git", L61: url: "git+https://github.com/Snipara/create-snipara.git" L62: }, ... L134: function getActivationDir() { L135: return path.join(process.cwd(), ".snipara", "activation"); L136: }
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.jsView on unpkg · L9

Findings

2 Critical3 Medium5 Low
CriticalCredential Exfiltrationdist/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings