registry  /  create-snipara  /  2.0.8

create-snipara@2.0.8

Onboard Snipara Hosted MCP Context + Memory with auth, companion workflows, and optional Snipara Sandbox

AI Security Review

scanned 4h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a setup CLI that writes project-scoped Snipara MCP and agent configuration when explicitly run.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs create-snipara/init/repair/upgrade CLI commands
Impact
Creates or updates package-aligned project configuration; optional hooks call local snipara-companion when enabled.
Mechanism
Interactive Snipara MCP onboarding and optional local helper generation
Rationale
Scanner credential-exfiltration hints are explained by user-authorized Snipara API key setup, hosted MCP validation, and local config generation. There is no lifecycle-triggered foreign agent control hijack or unconsented off-domain data exfiltration in the inspected source.
Evidence
package.jsondist/index.js.mcp.json.snipara/project.snipara/templates/*AGENTS.mdCLAUDE.md.cursor/rules/snipara.mdc.codex/config.toml.claude/hooks/*.sh.claude/settings.json.env.env.local.env.example.snipara/companion/config.json.snipara/companion/doctor.json
Network endpoints3
www.snipara.comapi.snipara.comlocalhost:8765/mcp

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/postinstall hook; only prepublishOnly runs build for publisher workflow
    • dist/index.js entrypoint is a user-invoked CLI via bin create-snipara, not import-time execution
    • Network calls are package-aligned Snipara auth/MCP endpoints: https://www.snipara.com and https://api.snipara.com
    • Project writes are setup artifacts such as .mcp.json, AGENTS.md, CLAUDE.md, .codex/config.toml, .snipara/*, and optional .env files
    • Claude Code hooks are generated only when selected/defaulted in companion/full profiles and run local snipara-companion commands
    • No evidence of credential harvesting or off-domain exfiltration; API keys are user-provided or OAuth-returned for Snipara config/validation
    Behavioral surface
    Source
    ChildProcessEnvironmentVarsFilesystemNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 1 file(s), 198 KB of source, external domains: api.snipara.com, github.com, snipara.com, www.snipara.com

    Source & flagged code

    2 flagged · loading source
    dist/index.jsView file
    9import path from "path"; L10: import { execSync, spawn } from "child_process"; L11: import { homedir } from "os"; L12: L13: // package.json L14: var package_default = { ... L60: type: "git", L61: url: "git+https://github.com/Snipara/create-snipara.git" L62: }, ... L121: function getActivationDir() { L122: return path.join(process.cwd(), ".snipara", "activation"); L123: }
    Critical
    Credential Exfiltration

    Source appears to send environment or credential material to an external endpoint.

    dist/index.jsView on unpkg · L9
    9Trigger-reachable chain: manifest.main -> dist/index.js L9: import path from "path"; L10: import { execSync, spawn } from "child_process"; L11: import { homedir } from "os"; L12: L13: // package.json L14: var package_default = { ... L60: type: "git", L61: url: "git+https://github.com/Snipara/create-snipara.git" L62: }, ... L121: function getActivationDir() { L122: return path.join(process.cwd(), ".snipara", "activation"); L123: }
    Critical
    Trigger Reachable Dangerous Capability

    A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

    dist/index.jsView on unpkg · L9

    Findings

    2 Critical3 Medium5 Low
    CriticalCredential Exfiltrationdist/index.js
    CriticalTrigger Reachable Dangerous Capabilitydist/index.js
    MediumNetwork
    MediumEnvironment Vars
    MediumStructural Risk Force Deep Review
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings