AI Security Review
scanned 4h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a setup CLI that writes project-scoped Snipara MCP and agent configuration when explicitly run.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs create-snipara/init/repair/upgrade CLI commands
Impact
Creates or updates package-aligned project configuration; optional hooks call local snipara-companion when enabled.
Mechanism
Interactive Snipara MCP onboarding and optional local helper generation
Rationale
Scanner credential-exfiltration hints are explained by user-authorized Snipara API key setup, hosted MCP validation, and local config generation. There is no lifecycle-triggered foreign agent control hijack or unconsented off-domain data exfiltration in the inspected source.
Evidence
package.jsondist/index.js.mcp.json.snipara/project.snipara/templates/*AGENTS.mdCLAUDE.md.cursor/rules/snipara.mdc.codex/config.toml.claude/hooks/*.sh.claude/settings.json.env.env.local.env.example.snipara/companion/config.json.snipara/companion/doctor.json
Network endpoints3
www.snipara.comapi.snipara.comlocalhost:8765/mcp
Decision evidence
public snapshotAI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no install/postinstall hook; only prepublishOnly runs build for publisher workflow
- dist/index.js entrypoint is a user-invoked CLI via bin create-snipara, not import-time execution
- Network calls are package-aligned Snipara auth/MCP endpoints: https://www.snipara.com and https://api.snipara.com
- Project writes are setup artifacts such as .mcp.json, AGENTS.md, CLAUDE.md, .codex/config.toml, .snipara/*, and optional .env files
- Claude Code hooks are generated only when selected/defaulted in companion/full profiles and run local snipara-companion commands
- No evidence of credential harvesting or off-domain exfiltration; API keys are user-provided or OAuth-returned for Snipara config/validation
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/index.jsView file
9import path from "path";
L10: import { execSync, spawn } from "child_process";
L11: import { homedir } from "os";
L12:
L13: // package.json
L14: var package_default = {
...
L60: type: "git",
L61: url: "git+https://github.com/Snipara/create-snipara.git"
L62: },
...
L121: function getActivationDir() {
L122: return path.join(process.cwd(), ".snipara", "activation");
L123: }
Critical
Credential Exfiltration
Source appears to send environment or credential material to an external endpoint.
dist/index.jsView on unpkg · L99Trigger-reachable chain: manifest.main -> dist/index.js
L9: import path from "path";
L10: import { execSync, spawn } from "child_process";
L11: import { homedir } from "os";
L12:
L13: // package.json
L14: var package_default = {
...
L60: type: "git",
L61: url: "git+https://github.com/Snipara/create-snipara.git"
L62: },
...
L121: function getActivationDir() {
L122: return path.join(process.cwd(), ".snipara", "activation");
L123: }
Critical
Trigger Reachable Dangerous Capability
A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/index.jsView on unpkg · L9Findings
2 Critical3 Medium5 Low
CriticalCredential Exfiltrationdist/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings