AI Security Review
scanned 37m ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. A first-party CLI command can install DeepSpace agent skill/config files into local or global agent directories. This is explicit user-command setup, not npm install-time mutation.
Decision evidence
public snapshot- dist/cli.js includes explicit `deepspace skills add` command to install DeepSpace skill/config for coding agents.
- dist/cli.js writes agent-related files under project/home directories when that user command is run.
- package.json has no install/preinstall/postinstall hooks; only prepublishOnly build.
- CLI package-manager and shell usage is user-invoked, not install-time or import-time.
- Network calls target DeepSpace-owned service URLs or app-relative local endpoints.
- scripts/add-feature.cjs patches project files/package.json but explicitly does not run npm install.
Source & flagged code
5 flagged · loading sourceThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/cli.jsView on unpkgSource gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
dist/cli.jsView on unpkg · L4Package source invokes a package manager install command at runtime.
dist/cli.jsView on unpkg · L1856