registry  /  create-snipara  /  2.0.6

create-snipara@2.0.6

Onboard Snipara Hosted MCP Context + Memory with auth, companion workflows, and optional Snipara Sandbox

AI Security Review

scanned 19h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is an explicit onboarding CLI for Snipara MCP/agent configuration, with user-invoked writes to project agent files and optional hooks.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs create-snipara/init/repair/upgrade commands.
Impact
Configures Snipara integrations; no unconsented install-time mutation or credential exfiltration confirmed.
Mechanism
Interactive scaffolding of Snipara MCP, companion, templates, and optional hooks.
Rationale
Static inspection shows high-risk primitives are package-aligned onboarding behavior gated by explicit CLI invocation, prompts, flags, or selected client/profile. There is no npm install-time execution, import-time payload, stealth persistence, foreign agent hijack, or unrelated credential exfiltration.
Evidence
package.jsondist/index.jsREADME.md.mcp.json.gitignore.snipara/project.snipara/templates/*AGENTS.mdCLAUDE.md.cursor/rules/snipara.mdc.codex/config.toml.claude/hooks/*.claude/settings.json.env.env.local.env.example.snipara/companion/config.json~/Library/Application Support/Claude/claude_desktop_config.json~/.config/claude/claude_desktop_config.json
Network endpoints5
www.snipara.comwww.snipara.com/api/oauth/device/codewww.snipara.com/api/oauth/device/tokenwww.snipara.com/api/cli/projects/{projectSlug}/automation-clientapi.snipara.com/mcp/{projectSlug}

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • CLI can write agent control files during user-invoked init: AGENTS.md, CLAUDE.md, .cursor/rules/snipara.mdc, .codex/config.toml.
  • Optional Claude Code hooks write .claude/hooks/* and .claude/settings.json when init/repair requests hooks.
  • CLI sends user-provided Snipara API key to Snipara endpoints for device auth, MCP validation, and automation-client sync.
Evidence against
  • package.json has no install/preinstall/postinstall hook; prepublishOnly only runs build for publishers.
  • dist/index.js behavior is behind bin commands/init/repair/doctor/upgrade, not import-time or npm install-time execution.
  • Network hosts are package-aligned: www.snipara.com and api.snipara.com.
  • API keys are prompted/provided by the user or OAuth device flow, written to project config/env files, and .gitignore entries are added.
  • No credential harvesting beyond configured Snipara/runtime keys; no broad env dump or exfiltration loop found.
  • Global Claude Desktop config update occurs only for selected claude-desktop client during user-invoked setup.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 178 KB of source, external domains: api.snipara.com, github.com, snipara.com, www.snipara.com

Source & flagged code

2 flagged · loading source
dist/index.jsView file
9import path from "path"; L10: import { execSync, spawn } from "child_process"; L11: import { homedir } from "os"; L12: L13: // package.json L14: var package_default = { ... L60: type: "git", L61: url: "git+https://github.com/Snipara/create-snipara.git" L62: }, ... L416: if (normalizedOptions.json) { L417: console.log(JSON.stringify({ detection: detectEnvironment(), validation: report }, null, 2)); L418: return;
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/index.jsView on unpkg · L9
9Trigger-reachable chain: manifest.main -> dist/index.js L9: import path from "path"; L10: import { execSync, spawn } from "child_process"; L11: import { homedir } from "os"; L12: L13: // package.json L14: var package_default = { ... L60: type: "git", L61: url: "git+https://github.com/Snipara/create-snipara.git" L62: }, ... L416: if (normalizedOptions.json) { L417: console.log(JSON.stringify({ detection: detectEnvironment(), validation: report }, null, 2)); L418: return;
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.jsView on unpkg · L9

Findings

2 Critical3 Medium5 Low
CriticalCredential Exfiltrationdist/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings