AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs create-snipara/init/repair/upgrade with options or prompts; no npm install hook trigger found.
Impact
Project AI-agent behavior/config may change and selected docs may be uploaded to Snipara; no confirmed malicious exfiltration or unconsented install-time hijack.
Mechanism
explicit CLI agent configuration and Snipara hosted MCP sync
Rationale
Static source inspection confirms broad AI-agent config/hook mutation and package-aligned network sync, but no preinstall/install/postinstall mutation, hidden exfiltration, or remote payload execution. Under policy this is a warning-class explicit user-command agent configuration risk, not malicious.
Evidence
package.jsondist/index.js.mcp.json.snipara/project.snipara/templates/*AGENTS.mdCLAUDE.md.cursor/rules/snipara.mdc.codex/config.toml.claude/hooks/*.sh.claude/settings.json.env.env.local.env.example.snipara/companion/config.json.snipara/activation/*~/.claude/settings.jsonClaude Desktop config
Network endpoints3
www.snipara.comapi.snipara.comlocalhost:8765/mcp
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- dist/index.js is the bin entrypoint and defaults to runInit on CLI execution.
- runInit writes project AI-agent files: AGENTS.md, CLAUDE.md, .cursor/rules/snipara.mdc, .codex/config.toml, .mcp.json.
- Claude Code hook setup writes .claude/hooks/*.sh and .claude/settings.json when hooks are enabled.
- With a live Snipara API key, README/docs content is sent to api.snipara.com MCP tools for indexing.
- updateEnvFiles may write provided SNIPARA_API_KEY/LLM keys to .env or .env.local.
- Uses execSync/spawn for git inspection, package installs, browser opening, and companion commands.
Evidence against
- package.json has no preinstall/install/postinstall lifecycle hook; only prepublishOnly builds.
- Risky behavior is reached by explicit CLI commands/init/repair/upgrade, not import-time execution.
- Network endpoints are Snipara-branded and package-aligned: www.snipara.com and api.snipara.com.
- No evidence of arbitrary remote code download/eval, credential harvesting beyond user-provided Snipara/LLM config, or stealth persistence.
- Generated MCP configs and templates instruct use of SNIPARA_API_KEY and gitignore sensitive local config.
- Doctor/validation behavior mostly reads local config and reports status.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/index.jsView file
9import path from "path";
L10: import { execSync, spawn } from "child_process";
L11: import { homedir } from "os";
L12:
L13: // package.json
L14: var package_default = {
...
L60: type: "git",
L61: url: "git+https://github.com/Snipara/create-snipara.git"
L62: },
...
L139: function getActivationDir() {
L140: return path.join(process.cwd(), ".snipara", "activation");
L141: }
Critical
Credential Exfiltration
Source appears to send environment or credential material to an external endpoint.
dist/index.jsView on unpkg · L99Trigger-reachable chain: manifest.main -> dist/index.js
L9: import path from "path";
L10: import { execSync, spawn } from "child_process";
L11: import { homedir } from "os";
L12:
L13: // package.json
L14: var package_default = {
...
L60: type: "git",
L61: url: "git+https://github.com/Snipara/create-snipara.git"
L62: },
...
L139: function getActivationDir() {
L140: return path.join(process.cwd(), ".snipara", "activation");
L141: }
Critical
Trigger Reachable Dangerous Capability
A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/index.jsView on unpkg · L9Findings
2 Critical3 Medium5 Low
CriticalCredential Exfiltrationdist/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings