AI Security Review
scanned 3d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The package is an interactive Snipara onboarding CLI that writes local MCP/agent config and contacts Snipara services using user-provided credentials.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs create-snipara/init/repair/upgrade and accepts defaults or prompts.
Impact
Project config changes and Snipara API validation/sync consistent with package purpose.
Mechanism
Interactive scaffolding of Snipara MCP, companion config, optional hooks, and validation calls.
Rationale
Static inspection shows risky primitives, but they are user-invoked setup behavior for the advertised Snipara MCP/AI-client onboarding purpose. No install-time execution, unrelated credential harvesting, covert endpoint, or unconsented AI-agent control mutation was found.
Evidence
package.jsondist/index.js.mcp.json.snipara/project.snipara/templates/*AGENTS.mdCLAUDE.md.cursor/rules/snipara.mdc.codex/config.toml.claude/hooks/snipara-*.sh.claude/settings.json.env.env.local.env.example.snipara/companion/config.json.snipara/companion/doctor.json
Network endpoints4
www.snipara.com/api/oauth/device/codewww.snipara.com/api/oauth/device/tokenwww.snipara.com/api/cli/projects/{projectSlug}/automation-clientapi.snipara.com/mcp/{projectSlug}
Decision evidence
public snapshotAI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
- dist/index.js posts user-supplied Snipara API key to api.snipara.com for hosted MCP validation and www.snipara.com automation-client sync.
- dist/index.js can install global companion/Python packages and write AI client configs/hooks during user-invoked init/repair/upgrade flows.
Evidence against
- package.json has no install/postinstall hook; only prepublishOnly build script is publisher-side.
- dist/index.js is a CLI entrypoint; actions are behind commands/prompts/options, not import-time execution.
- Network hosts are Snipara-owned/aligned: www.snipara.com and api.snipara.com.
- Credential use is package-aligned: SNIPARA_API_KEY is written to local Snipara MCP/companion config and sent as auth to Snipara endpoints.
- Generated Claude hooks call local snipara-companion and are created only in setup flows, not silently during npm install.
- No obfuscation, staged payload, destructive file deletion, persistence outside generated project/client config, or unrelated exfiltration found.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/index.jsView file
9import path from "path";
L10: import { execSync, spawn } from "child_process";
L11: import { homedir } from "os";
L12:
L13: // package.json
L14: var package_default = {
...
L60: type: "git",
L61: url: "git+https://github.com/Snipara/create-snipara.git"
L62: },
...
L416: if (normalizedOptions.json) {
L417: console.log(JSON.stringify({ detection: detectEnvironment(), validation: report }, null, 2));
L418: return;
Critical
Credential Exfiltration
Source appears to send environment or credential material to an external endpoint.
dist/index.jsView on unpkg · L99Trigger-reachable chain: manifest.main -> dist/index.js
L9: import path from "path";
L10: import { execSync, spawn } from "child_process";
L11: import { homedir } from "os";
L12:
L13: // package.json
L14: var package_default = {
...
L60: type: "git",
L61: url: "git+https://github.com/Snipara/create-snipara.git"
L62: },
...
L416: if (normalizedOptions.json) {
L417: console.log(JSON.stringify({ detection: detectEnvironment(), validation: report }, null, 2));
L418: return;
Critical
Trigger Reachable Dangerous Capability
A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/index.jsView on unpkg · L9Findings
2 Critical3 Medium5 Low
CriticalCredential Exfiltrationdist/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings