AI Security Review
scanned 3h ago · by lpm-firewall-aiNo confirmed malicious lifecycle or import-time attack was found. The package is a user-invoked AI/MCP onboarding CLI that can write broad project AI-agent configuration and optional Claude hooks, which is agent-control-surface risk but package-aligned.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs create-snipara/init/repair/upgrade CLI commands.
Impact
Could alter AI-agent behavior in the current project and optionally route hook context through Snipara companion tooling after user-selected setup.
Mechanism
project MCP/agent config generation with optional local hooks
Attack narrative
The CLI onboards a project to Snipara Hosted MCP, creates project-scoped MCP and agent instruction files, and may install Claude Code hooks when advanced/companion profiles enable hooks. This is sensitive AI-agent surface mutation, but inspection shows it is user-invoked, documented, package-aligned, and not delivered through npm install lifecycle execution.
Rationale
Static inspection does not support a malicious verdict: there is no install-time execution, credential harvesting, remote code execution, or unconsented foreign agent takeover. Because the package can configure broad AI-agent surfaces and optional hooks, warn rather than mark clean.
Evidence
package.jsonREADME.mddist/index.js.mcp.jsonAGENTS.mdCLAUDE.md.cursor/rules/snipara.mdc.codex/config.toml.snipara/project.snipara/templates/*.snipara/companion/config.json.snipara/companion/doctor.json.snipara/activation/manifest.json.snipara/activation/handoff.md.snipara/activation/memory-candidates.json.claude/settings.json.claude/hooks/snipara-stuck-guard.sh.claude/hooks/snipara-startup.sh.claude/hooks/snipara-session.sh
Network endpoints4
www.snipara.com/api/oauth/device/codewww.snipara.com/api/oauth/device/tokenwww.snipara.com/api/cli/projects/{projectSlug}/automation-clientapi.snipara.com/mcp/{projectSlug}
Decision evidence
public snapshotAI called this Suspicious at 84.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- dist/index.js user-invoked init writes project agent control files: AGENTS.md, CLAUDE.md, .codex/config.toml, .cursor/rules/snipara.mdc, .mcp.json.
- dist/index.js optional/advanced Claude Code hooks write .claude/settings.json and .claude/hooks scripts that receive tool input/output and call snipara-companion.
- dist/index.js sends device auth and hosted MCP/automation requests to snipara.com/api.snipara.com using user-provided or device-flow API keys.
Evidence against
- package.json has no install/postinstall/prepare hook; prepublishOnly only runs npm run build for publisher-side packaging.
- dist/index.js behavior is exposed through the create-snipara CLI/init/repair/upgrade commands, not import-time execution.
- Default profile is hosted-only; companion, sandbox, orchestrator, and hooks require advanced profile/options or selected profiles.
- Network endpoints and written configs are Snipara product-aligned and documented in README.md.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/index.jsView file
9import path from "path";
L10: import { execSync, spawn } from "child_process";
L11: import { homedir } from "os";
L12:
L13: // package.json
L14: var package_default = {
...
L60: type: "git",
L61: url: "git+https://github.com/Snipara/create-snipara.git"
L62: },
...
L134: function getActivationDir() {
L135: return path.join(process.cwd(), ".snipara", "activation");
L136: }
Critical
Credential Exfiltration
Source appears to send environment or credential material to an external endpoint.
dist/index.jsView on unpkg · L99Trigger-reachable chain: manifest.main -> dist/index.js
L9: import path from "path";
L10: import { execSync, spawn } from "child_process";
L11: import { homedir } from "os";
L12:
L13: // package.json
L14: var package_default = {
...
L60: type: "git",
L61: url: "git+https://github.com/Snipara/create-snipara.git"
L62: },
...
L134: function getActivationDir() {
L135: return path.join(process.cwd(), ".snipara", "activation");
L136: }
Critical
Trigger Reachable Dangerous Capability
A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/index.jsView on unpkg · L9Findings
2 Critical3 Medium5 Low
CriticalCredential Exfiltrationdist/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings