AI Security Review
scanned 3h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a user-invoked setup CLI that authenticates with its service, installs its SDK, and injects configuration into the selected project.
Decision evidence
public snapshot- package.json has no preinstall, install, postinstall, or prepare lifecycle hook.
- dist/cli.cjs runs only when the crumbtrail CLI entrypoint is invoked.
- Network requests use the configured Crumbtrail endpoint, defaulting to https://app.crumbtrail.dev.
- Environment access is limited to Crumbtrail settings/key and local display/config paths.
- child_process use is fixed-argument git status, opening a login browser, and user-visible package-manager installation.
- Writes are explicit setup actions: detected project entry file and that package's .env; ambiguous plans do not edit files.
Source & flagged code
5 flagged · loading sourcePackage source references child process execution.
dist/chunk-MZDASWQ7.jsView on unpkg · L688Source appears to send environment or credential material to an external endpoint.
dist/cli.cjsView on unpkg · L46A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/cli.cjsView on unpkg · L46This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/cli.cjsView on unpkgA single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/cli.cjsView on unpkg · L1580