AI Security Review
scanned 19h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is an explicit onboarding CLI for Snipara MCP/agent configuration, with user-invoked writes to project agent files and optional hooks.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs create-snipara/init/repair/upgrade commands.
Impact
Configures Snipara integrations; no unconsented install-time mutation or credential exfiltration confirmed.
Mechanism
Interactive scaffolding of Snipara MCP, companion, templates, and optional hooks.
Rationale
Static inspection shows high-risk primitives are package-aligned onboarding behavior gated by explicit CLI invocation, prompts, flags, or selected client/profile. There is no npm install-time execution, import-time payload, stealth persistence, foreign agent hijack, or unrelated credential exfiltration.
Evidence
package.jsondist/index.jsREADME.md.mcp.json.gitignore.snipara/project.snipara/templates/*AGENTS.mdCLAUDE.md.cursor/rules/snipara.mdc.codex/config.toml.claude/hooks/*.claude/settings.json.env.env.local.env.example.snipara/companion/config.json~/Library/Application Support/Claude/claude_desktop_config.json~/.config/claude/claude_desktop_config.json
Network endpoints5
www.snipara.comwww.snipara.com/api/oauth/device/codewww.snipara.com/api/oauth/device/tokenwww.snipara.com/api/cli/projects/{projectSlug}/automation-clientapi.snipara.com/mcp/{projectSlug}
Decision evidence
public snapshotAI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
- CLI can write agent control files during user-invoked init: AGENTS.md, CLAUDE.md, .cursor/rules/snipara.mdc, .codex/config.toml.
- Optional Claude Code hooks write .claude/hooks/* and .claude/settings.json when init/repair requests hooks.
- CLI sends user-provided Snipara API key to Snipara endpoints for device auth, MCP validation, and automation-client sync.
Evidence against
- package.json has no install/preinstall/postinstall hook; prepublishOnly only runs build for publishers.
- dist/index.js behavior is behind bin commands/init/repair/doctor/upgrade, not import-time or npm install-time execution.
- Network hosts are package-aligned: www.snipara.com and api.snipara.com.
- API keys are prompted/provided by the user or OAuth device flow, written to project config/env files, and .gitignore entries are added.
- No credential harvesting beyond configured Snipara/runtime keys; no broad env dump or exfiltration loop found.
- Global Claude Desktop config update occurs only for selected claude-desktop client during user-invoked setup.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/index.jsView file
9import path from "path";
L10: import { execSync, spawn } from "child_process";
L11: import { homedir } from "os";
L12:
L13: // package.json
L14: var package_default = {
...
L60: type: "git",
L61: url: "git+https://github.com/Snipara/create-snipara.git"
L62: },
...
L416: if (normalizedOptions.json) {
L417: console.log(JSON.stringify({ detection: detectEnvironment(), validation: report }, null, 2));
L418: return;
Critical
Credential Exfiltration
Source appears to send environment or credential material to an external endpoint.
dist/index.jsView on unpkg · L99Trigger-reachable chain: manifest.main -> dist/index.js
L9: import path from "path";
L10: import { execSync, spawn } from "child_process";
L11: import { homedir } from "os";
L12:
L13: // package.json
L14: var package_default = {
...
L60: type: "git",
L61: url: "git+https://github.com/Snipara/create-snipara.git"
L62: },
...
L416: if (normalizedOptions.json) {
L417: console.log(JSON.stringify({ detection: detectEnvironment(), validation: report }, null, 2));
L418: return;
Critical
Trigger Reachable Dangerous Capability
A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/index.jsView on unpkg · L9Findings
2 Critical3 Medium5 Low
CriticalCredential Exfiltrationdist/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings