AI Security Review
scanned 3d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The package is a user-invoked Snipara onboarding CLI that authenticates with Snipara and writes selected local MCP/agent configuration files.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs create-snipara, init, repair, upgrade, doctor, or related CLI commands.
Impact
User-authorized network calls and local configuration changes; no evidence of hidden credential exfiltration, persistence, or destructive behavior.
Mechanism
interactive setup CLI with OAuth device flow, package-aligned installs, and MCP/client config generation
Rationale
The scanner's credential-exfiltration signal maps to the legitimate Snipara OAuth/device-token and hosted MCP API flows. Risky primitives are user-invoked and package-aligned, with no install-time execution, unrelated endpoint, arbitrary secret harvesting, or unconsented AI-agent control-surface mutation.
Evidence
package.jsondist/index.js.mcp.jsonAGENTS.mdCLAUDE.md.cursor/rules/snipara.mdc.codex/config.toml.claude/settings.json.snipara/project.snipara/templates
Network endpoints4
www.snipara.comwww.snipara.com/api/oauth/device/codewww.snipara.com/api/oauth/device/tokenapi.snipara.com/mcp/{projectSlug}
Decision evidence
public snapshotAI called this Clean at 89.0% confidence as Benign with low false-positive risk.
Evidence for block
- package.json exposes bin/main dist/index.js and has no install/postinstall hook; prepublishOnly only runs build.
- dist/index.js performs OAuth device flow against https://www.snipara.com/api/oauth/device/code and /token.
- dist/index.js can install snipara-companion, snipara-mcp, snipara-sandbox, and snipara-orchestrator via user-invoked init/repair/upgrade flows.
- dist/index.js writes project/client integration files including .mcp.json, AGENTS.md, .cursor/rules/snipara.mdc, .codex/config.toml, .claude/settings.json, and .snipara templates.
Evidence against
- No import-time or install-time execution beyond CLI entrypoint parsing was found.
- Network calls are package-aligned to www.snipara.com and api.snipara.com for auth, hosted MCP validation, and setup workflows.
- No arbitrary credential/env harvesting or unrelated exfiltration endpoint was found; SNIPARA_API_KEY is user-supplied or returned by Snipara auth.
- Shell execution is limited to opening browser URLs, checking tool versions, package-manager installs, git detection, and package-aligned companion/sandbox commands.
- AI/client config and hook writes are explicit setup outputs of a project onboarding CLI, not silent lifecycle mutation.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/index.jsView file
9import path from "path";
L10: import { execSync, spawn } from "child_process";
L11: import { homedir } from "os";
L12:
L13: // package.json
L14: var package_default = {
...
L60: type: "git",
L61: url: "git+https://github.com/Snipara/create-snipara.git"
L62: },
...
L416: if (normalizedOptions.json) {
L417: console.log(JSON.stringify({ detection: detectEnvironment(), validation: report }, null, 2));
L418: return;
Critical
Credential Exfiltration
Source appears to send environment or credential material to an external endpoint.
dist/index.jsView on unpkg · L99Trigger-reachable chain: manifest.main -> dist/index.js
L9: import path from "path";
L10: import { execSync, spawn } from "child_process";
L11: import { homedir } from "os";
L12:
L13: // package.json
L14: var package_default = {
...
L60: type: "git",
L61: url: "git+https://github.com/Snipara/create-snipara.git"
L62: },
...
L416: if (normalizedOptions.json) {
L417: console.log(JSON.stringify({ detection: detectEnvironment(), validation: report }, null, 2));
L418: return;
Critical
Trigger Reachable Dangerous Capability
A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/index.jsView on unpkg · L9Findings
2 Critical3 Medium5 Low
CriticalCredential Exfiltrationdist/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings