registry  /  create-snipara  /  2.0.7

create-snipara@2.0.7

Onboard Snipara Hosted MCP Context + Memory with auth, companion workflows, and optional Snipara Sandbox

AI Security Review

scanned 16h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a setup CLI that writes Snipara MCP and agent configuration after explicit invocation.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs create-snipara/init/repair/upgrade/doctor commands.
Impact
Creates project agent/MCP config and optional hooks/companion setup for Snipara workflows.
Mechanism
User-invoked Snipara onboarding and config generation
Rationale
Static inspection shows risky primitives are package-aligned and activated by explicit CLI setup, not by npm install/import. The scanner's credential-exfiltration hint maps to Snipara device auth/API-key configuration and local MCP setup rather than secret harvesting or third-party exfiltration.
Evidence
package.jsondist/index.js.mcp.json.snipara/project.snipara/templates/AGENTS.md.snipara/templates/CLAUDE.mdAGENTS.mdCLAUDE.md.cursor/rules/snipara.mdc.codex/config.toml.claude/settings.json.claude/hooks/snipara-stuck-guard.sh.claude/hooks/snipara-startup.sh.claude/hooks/snipara-session.sh.claude/hooks/snipara-compact.sh.env.env.local.env.example
Network endpoints4
www.snipara.com/api/oauth/device/codewww.snipara.com/api/oauth/device/tokenapi.snipara.com/mcp/{projectSlug}www.snipara.com/api/cli/projects/{projectSlug}/automation-client

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no consumer install lifecycle hook; prepublishOnly only runs for publishing/build.
    • dist/index.js exposes an explicit create-snipara CLI; default action is interactive/user-invoked init.
    • Network calls are Snipara-aligned OAuth, MCP validation, and project automation endpoints.
    • API keys are prompted/provided by user and written to local Snipara config/MCP files, not harvested broadly.
    • Agent/MCP files are generated in project scope or selected Claude Desktop path as setup output, not install-time mutation.
    Behavioral surface
    Source
    ChildProcessEnvironmentVarsFilesystemNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 1 file(s), 179 KB of source, external domains: api.snipara.com, github.com, snipara.com, www.snipara.com

    Source & flagged code

    2 flagged · loading source
    dist/index.jsView file
    9import path from "path"; L10: import { execSync, spawn } from "child_process"; L11: import { homedir } from "os"; L12: L13: // package.json L14: var package_default = { ... L60: type: "git", L61: url: "git+https://github.com/Snipara/create-snipara.git" L62: }, ... L416: if (normalizedOptions.json) { L417: console.log(JSON.stringify({ detection: detectEnvironment(), validation: report }, null, 2)); L418: return;
    Critical
    Credential Exfiltration

    Source appears to send environment or credential material to an external endpoint.

    dist/index.jsView on unpkg · L9
    9Trigger-reachable chain: manifest.main -> dist/index.js L9: import path from "path"; L10: import { execSync, spawn } from "child_process"; L11: import { homedir } from "os"; L12: L13: // package.json L14: var package_default = { ... L60: type: "git", L61: url: "git+https://github.com/Snipara/create-snipara.git" L62: }, ... L416: if (normalizedOptions.json) { L417: console.log(JSON.stringify({ detection: detectEnvironment(), validation: report }, null, 2)); L418: return;
    Critical
    Trigger Reachable Dangerous Capability

    A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

    dist/index.jsView on unpkg · L9

    Findings

    2 Critical3 Medium5 Low
    CriticalCredential Exfiltrationdist/index.js
    CriticalTrigger Reachable Dangerous Capabilitydist/index.js
    MediumNetwork
    MediumEnvironment Vars
    MediumStructural Risk Force Deep Review
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings