registry  /  create-snipara  /  2.0.12

create-snipara@2.0.12

Onboard Snipara Hosted MCP Context + Memory with auth, companion workflows, and optional Snipara Sandbox

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs create-snipara/init/repair/upgrade with options or prompts; no npm install hook trigger found.
Impact
Project AI-agent behavior/config may change and selected docs may be uploaded to Snipara; no confirmed malicious exfiltration or unconsented install-time hijack.
Mechanism
explicit CLI agent configuration and Snipara hosted MCP sync
Rationale
Static source inspection confirms broad AI-agent config/hook mutation and package-aligned network sync, but no preinstall/install/postinstall mutation, hidden exfiltration, or remote payload execution. Under policy this is a warning-class explicit user-command agent configuration risk, not malicious.
Evidence
package.jsondist/index.js.mcp.json.snipara/project.snipara/templates/*AGENTS.mdCLAUDE.md.cursor/rules/snipara.mdc.codex/config.toml.claude/hooks/*.sh.claude/settings.json.env.env.local.env.example.snipara/companion/config.json.snipara/activation/*~/.claude/settings.jsonClaude Desktop config
Network endpoints3
www.snipara.comapi.snipara.comlocalhost:8765/mcp

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/index.js is the bin entrypoint and defaults to runInit on CLI execution.
  • runInit writes project AI-agent files: AGENTS.md, CLAUDE.md, .cursor/rules/snipara.mdc, .codex/config.toml, .mcp.json.
  • Claude Code hook setup writes .claude/hooks/*.sh and .claude/settings.json when hooks are enabled.
  • With a live Snipara API key, README/docs content is sent to api.snipara.com MCP tools for indexing.
  • updateEnvFiles may write provided SNIPARA_API_KEY/LLM keys to .env or .env.local.
  • Uses execSync/spawn for git inspection, package installs, browser opening, and companion commands.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hook; only prepublishOnly builds.
  • Risky behavior is reached by explicit CLI commands/init/repair/upgrade, not import-time execution.
  • Network endpoints are Snipara-branded and package-aligned: www.snipara.com and api.snipara.com.
  • No evidence of arbitrary remote code download/eval, credential harvesting beyond user-provided Snipara/LLM config, or stealth persistence.
  • Generated MCP configs and templates instruct use of SNIPARA_API_KEY and gitignore sensitive local config.
  • Doctor/validation behavior mostly reads local config and reports status.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 223 KB of source, external domains: api.snipara.com, github.com, snipara.com, www.snipara.com

Source & flagged code

2 flagged · loading source
dist/index.jsView file
9import path from "path"; L10: import { execSync, spawn } from "child_process"; L11: import { homedir } from "os"; L12: L13: // package.json L14: var package_default = { ... L60: type: "git", L61: url: "git+https://github.com/Snipara/create-snipara.git" L62: }, ... L139: function getActivationDir() { L140: return path.join(process.cwd(), ".snipara", "activation"); L141: }
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/index.jsView on unpkg · L9
9Trigger-reachable chain: manifest.main -> dist/index.js L9: import path from "path"; L10: import { execSync, spawn } from "child_process"; L11: import { homedir } from "os"; L12: L13: // package.json L14: var package_default = { ... L60: type: "git", L61: url: "git+https://github.com/Snipara/create-snipara.git" L62: }, ... L139: function getActivationDir() { L140: return path.join(process.cwd(), ".snipara", "activation"); L141: }
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.jsView on unpkg · L9

Findings

2 Critical3 Medium5 Low
CriticalCredential Exfiltrationdist/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings