registry  /  create-snipara  /  2.0.4

create-snipara@2.0.4

Onboard Snipara Hosted MCP Context + Memory with auth, companion workflows, and optional Snipara Sandbox

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is an interactive Snipara onboarding CLI that writes local MCP/agent config and contacts Snipara services using user-provided credentials.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs create-snipara/init/repair/upgrade and accepts defaults or prompts.
Impact
Project config changes and Snipara API validation/sync consistent with package purpose.
Mechanism
Interactive scaffolding of Snipara MCP, companion config, optional hooks, and validation calls.
Rationale
Static inspection shows risky primitives, but they are user-invoked setup behavior for the advertised Snipara MCP/AI-client onboarding purpose. No install-time execution, unrelated credential harvesting, covert endpoint, or unconsented AI-agent control mutation was found.
Evidence
package.jsondist/index.js.mcp.json.snipara/project.snipara/templates/*AGENTS.mdCLAUDE.md.cursor/rules/snipara.mdc.codex/config.toml.claude/hooks/snipara-*.sh.claude/settings.json.env.env.local.env.example.snipara/companion/config.json.snipara/companion/doctor.json
Network endpoints4
www.snipara.com/api/oauth/device/codewww.snipara.com/api/oauth/device/tokenwww.snipara.com/api/cli/projects/{projectSlug}/automation-clientapi.snipara.com/mcp/{projectSlug}

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/index.js posts user-supplied Snipara API key to api.snipara.com for hosted MCP validation and www.snipara.com automation-client sync.
  • dist/index.js can install global companion/Python packages and write AI client configs/hooks during user-invoked init/repair/upgrade flows.
Evidence against
  • package.json has no install/postinstall hook; only prepublishOnly build script is publisher-side.
  • dist/index.js is a CLI entrypoint; actions are behind commands/prompts/options, not import-time execution.
  • Network hosts are Snipara-owned/aligned: www.snipara.com and api.snipara.com.
  • Credential use is package-aligned: SNIPARA_API_KEY is written to local Snipara MCP/companion config and sent as auth to Snipara endpoints.
  • Generated Claude hooks call local snipara-companion and are created only in setup flows, not silently during npm install.
  • No obfuscation, staged payload, destructive file deletion, persistence outside generated project/client config, or unrelated exfiltration found.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 177 KB of source, external domains: api.snipara.com, github.com, snipara.com, www.snipara.com

Source & flagged code

2 flagged · loading source
dist/index.jsView file
9import path from "path"; L10: import { execSync, spawn } from "child_process"; L11: import { homedir } from "os"; L12: L13: // package.json L14: var package_default = { ... L60: type: "git", L61: url: "git+https://github.com/Snipara/create-snipara.git" L62: }, ... L416: if (normalizedOptions.json) { L417: console.log(JSON.stringify({ detection: detectEnvironment(), validation: report }, null, 2)); L418: return;
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/index.jsView on unpkg · L9
9Trigger-reachable chain: manifest.main -> dist/index.js L9: import path from "path"; L10: import { execSync, spawn } from "child_process"; L11: import { homedir } from "os"; L12: L13: // package.json L14: var package_default = { ... L60: type: "git", L61: url: "git+https://github.com/Snipara/create-snipara.git" L62: }, ... L416: if (normalizedOptions.json) { L417: console.log(JSON.stringify({ detection: detectEnvironment(), validation: report }, null, 2)); L418: return;
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.jsView on unpkg · L9

Findings

2 Critical3 Medium5 Low
CriticalCredential Exfiltrationdist/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings