AI Security Review
scanned 3h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The explicit npx crumbtrail wizard authenticates to its service, installs selected SDK packages, and writes requested instrumentation only after its setup flow.
Decision evidence
public snapshot- package.json has no preinstall/install/postinstall lifecycle hook.
- dist/cli.cjs runs only as the explicit crumbtrail CLI entrypoint.
- Network requests target the package-aligned default https://app.crumbtrail.dev for login, project provisioning, and verification.
- dist/cli.cjs sends only the configured CLI token/API key as authentication to that endpoint.
- dist/chunk-MZDASWQ7.js limits writes to planned target entry files and a CRUMBTRAIL_KEY .env entry.
- child_process use is fixed-argument git status, package-manager install, and browser opening; no eval or remote code loading found.
Source & flagged code
4 flagged · loading sourcePackage source references child process execution.
dist/chunk-MZDASWQ7.jsView on unpkg · L688Source appears to send environment or credential material to an external endpoint.
dist/cli.cjsView on unpkg · L46A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/cli.cjsView on unpkg · L46A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/cli.cjsView on unpkg · L1580