AI Security Review
scanned 16h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a setup CLI that writes Snipara MCP and agent configuration after explicit invocation.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs create-snipara/init/repair/upgrade/doctor commands.
Impact
Creates project agent/MCP config and optional hooks/companion setup for Snipara workflows.
Mechanism
User-invoked Snipara onboarding and config generation
Rationale
Static inspection shows risky primitives are package-aligned and activated by explicit CLI setup, not by npm install/import. The scanner's credential-exfiltration hint maps to Snipara device auth/API-key configuration and local MCP setup rather than secret harvesting or third-party exfiltration.
Evidence
package.jsondist/index.js.mcp.json.snipara/project.snipara/templates/AGENTS.md.snipara/templates/CLAUDE.mdAGENTS.mdCLAUDE.md.cursor/rules/snipara.mdc.codex/config.toml.claude/settings.json.claude/hooks/snipara-stuck-guard.sh.claude/hooks/snipara-startup.sh.claude/hooks/snipara-session.sh.claude/hooks/snipara-compact.sh.env.env.local.env.example
Network endpoints4
www.snipara.com/api/oauth/device/codewww.snipara.com/api/oauth/device/tokenapi.snipara.com/mcp/{projectSlug}www.snipara.com/api/cli/projects/{projectSlug}/automation-client
Decision evidence
public snapshotAI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no consumer install lifecycle hook; prepublishOnly only runs for publishing/build.
- dist/index.js exposes an explicit create-snipara CLI; default action is interactive/user-invoked init.
- Network calls are Snipara-aligned OAuth, MCP validation, and project automation endpoints.
- API keys are prompted/provided by user and written to local Snipara config/MCP files, not harvested broadly.
- Agent/MCP files are generated in project scope or selected Claude Desktop path as setup output, not install-time mutation.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/index.jsView file
9import path from "path";
L10: import { execSync, spawn } from "child_process";
L11: import { homedir } from "os";
L12:
L13: // package.json
L14: var package_default = {
...
L60: type: "git",
L61: url: "git+https://github.com/Snipara/create-snipara.git"
L62: },
...
L416: if (normalizedOptions.json) {
L417: console.log(JSON.stringify({ detection: detectEnvironment(), validation: report }, null, 2));
L418: return;
Critical
Credential Exfiltration
Source appears to send environment or credential material to an external endpoint.
dist/index.jsView on unpkg · L99Trigger-reachable chain: manifest.main -> dist/index.js
L9: import path from "path";
L10: import { execSync, spawn } from "child_process";
L11: import { homedir } from "os";
L12:
L13: // package.json
L14: var package_default = {
...
L60: type: "git",
L61: url: "git+https://github.com/Snipara/create-snipara.git"
L62: },
...
L416: if (normalizedOptions.json) {
L417: console.log(JSON.stringify({ detection: detectEnvironment(), validation: report }, null, 2));
L418: return;
Critical
Trigger Reachable Dangerous Capability
A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/index.jsView on unpkg · L9Findings
2 Critical3 Medium5 Low
CriticalCredential Exfiltrationdist/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings