registry  /  cssgraph  /  0.3.1

cssgraph@0.3.1

CSS intelligence for AI coding agents — surgical style context, fewer tool calls, faster answers. 100% local.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Explicit installer commands modify AI-agent configuration and instruction files. The Claude target can register a prompt hook and broad cssgraph MCP permission; the Codex target registers a local stdio MCP server.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `cssgraph install` (or provides installer flags).
Impact
Selected agents may launch `cssgraph serve --mcp`; Claude may invoke `cssgraph prompt-hook` on submitted prompts.
Mechanism
First-party AI-agent MCP/configuration setup with optional Claude prompt hook.
Rationale
Source inspection confirms an explicit, first-party AI-agent configuration installer rather than malicious npm lifecycle behavior. Warn because it can alter broad user-level agent configuration and prompt-hook behavior after a user invokes installation.
Evidence
package.jsondist/bin/cssgraph.jsdist/installer/index.jsdist/installer/targets/codex.jsdist/installer/targets/claude.jsdist/installer/targets/shared.js~/.codex/config.toml~/.codex/AGENTS.md~/.claude/settings.json~/.claude/CLAUDE.md

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/bin/cssgraph.js` exposes explicit `install` and `uninstall` commands for AI-agent integration.
  • `dist/installer/targets/codex.js` writes a `cssgraph` MCP subprocess entry to `~/.codex/config.toml` and inserts instructions into `~/.codex/AGENTS.md`.
  • `dist/installer/targets/claude.js` can add a `UserPromptSubmit` hook running `cssgraph prompt-hook` and auto-allow `mcp__cssgraph__*`.
  • `dist/installer/index.js` can run `npm install -g cssgraph`, but only after the interactive installer prompt.
Evidence against
  • `package.json` has no `preinstall`, `install`, `postinstall`, or `prepare` lifecycle hook.
  • Installer code is reached only from explicit CLI `cssgraph install`/`uninstall` actions, not package import.
  • No outbound network API usage or credential/environment exfiltration was found in distributed JavaScript.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 53 file(s), 364 KB of source, external domains: docs.claude.com, docs.cursor.com, github.com, google-gemini.github.io, opencode.ai

Source & flagged code

5 flagged · loading source
dist/installer/index.jsView file
52exports.runUninstaller = runUninstaller; L53: const child_process_1 = require("child_process"); L54: const path = __importStar(require("path"));
High
Child Process

Package source references child process execution.

dist/installer/index.jsView on unpkg · L52
106try { L107: (0, child_process_1.execSync)('npm install -g cssgraph', { stdio: 'pipe', windowsHide: true }); L108: s.stop('Installed cssgraph CLI on PATH');
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/installer/index.jsView on unpkg · L106
60// eslint-disable-next-line @typescript-eslint/no-implied-eval L61: const importESM = new Function('specifier', 'return import(specifier)'); L62: function getVersion() {
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/installer/index.jsView on unpkg · L60
dist/project-config.jsView file
43exports.extractCodeTokens = extractCodeTokens; L44: const path = __importStar(require("path")); L45: const fs = __importStar(require("fs"));
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/project-config.jsView on unpkg · L43
dist/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = cssgraph@0.2.5 matchedIdentity = npm:Y3NzZ3JhcGg:0.2.5 similarity = 0.591 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/index.jsView on unpkg

Findings

1 Critical3 High3 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/index.js
HighChild Processdist/installer/index.js
HighShell
HighRuntime Package Installdist/installer/index.js
MediumDynamic Requiredist/project-config.js
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/installer/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings