registry  /  create-snipara  /  2.0.5

create-snipara@2.0.5

Onboard Snipara Hosted MCP Context + Memory with auth, companion workflows, and optional Snipara Sandbox

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is a user-invoked Snipara onboarding CLI that authenticates with Snipara and writes selected local MCP/agent configuration files.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs create-snipara, init, repair, upgrade, doctor, or related CLI commands.
Impact
User-authorized network calls and local configuration changes; no evidence of hidden credential exfiltration, persistence, or destructive behavior.
Mechanism
interactive setup CLI with OAuth device flow, package-aligned installs, and MCP/client config generation
Rationale
The scanner's credential-exfiltration signal maps to the legitimate Snipara OAuth/device-token and hosted MCP API flows. Risky primitives are user-invoked and package-aligned, with no install-time execution, unrelated endpoint, arbitrary secret harvesting, or unconsented AI-agent control-surface mutation.
Evidence
package.jsondist/index.js.mcp.jsonAGENTS.mdCLAUDE.md.cursor/rules/snipara.mdc.codex/config.toml.claude/settings.json.snipara/project.snipara/templates
Network endpoints4
www.snipara.comwww.snipara.com/api/oauth/device/codewww.snipara.com/api/oauth/device/tokenapi.snipara.com/mcp/{projectSlug}

Decision evidence

public snapshot
AI called this Clean at 89.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json exposes bin/main dist/index.js and has no install/postinstall hook; prepublishOnly only runs build.
  • dist/index.js performs OAuth device flow against https://www.snipara.com/api/oauth/device/code and /token.
  • dist/index.js can install snipara-companion, snipara-mcp, snipara-sandbox, and snipara-orchestrator via user-invoked init/repair/upgrade flows.
  • dist/index.js writes project/client integration files including .mcp.json, AGENTS.md, .cursor/rules/snipara.mdc, .codex/config.toml, .claude/settings.json, and .snipara templates.
Evidence against
  • No import-time or install-time execution beyond CLI entrypoint parsing was found.
  • Network calls are package-aligned to www.snipara.com and api.snipara.com for auth, hosted MCP validation, and setup workflows.
  • No arbitrary credential/env harvesting or unrelated exfiltration endpoint was found; SNIPARA_API_KEY is user-supplied or returned by Snipara auth.
  • Shell execution is limited to opening browser URLs, checking tool versions, package-manager installs, git detection, and package-aligned companion/sandbox commands.
  • AI/client config and hook writes are explicit setup outputs of a project onboarding CLI, not silent lifecycle mutation.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 178 KB of source, external domains: api.snipara.com, github.com, snipara.com, www.snipara.com

Source & flagged code

2 flagged · loading source
dist/index.jsView file
9import path from "path"; L10: import { execSync, spawn } from "child_process"; L11: import { homedir } from "os"; L12: L13: // package.json L14: var package_default = { ... L60: type: "git", L61: url: "git+https://github.com/Snipara/create-snipara.git" L62: }, ... L416: if (normalizedOptions.json) { L417: console.log(JSON.stringify({ detection: detectEnvironment(), validation: report }, null, 2)); L418: return;
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/index.jsView on unpkg · L9
9Trigger-reachable chain: manifest.main -> dist/index.js L9: import path from "path"; L10: import { execSync, spawn } from "child_process"; L11: import { homedir } from "os"; L12: L13: // package.json L14: var package_default = { ... L60: type: "git", L61: url: "git+https://github.com/Snipara/create-snipara.git" L62: }, ... L416: if (normalizedOptions.json) { L417: console.log(JSON.stringify({ detection: detectEnvironment(), validation: report }, null, 2)); L418: return;
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.jsView on unpkg · L9

Findings

2 Critical3 Medium5 Low
CriticalCredential Exfiltrationdist/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings