registry  /  dictum-cli  /  0.3.0

dictum-cli@0.3.0

Prompt-polishing CLI with an MCP host-brain overlay: type or dictate a rough thought, get a clear, structured prompt — in your clipboard or right inside your coding agent

AI Security Review

scanned 4h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The explicit integration command registers Dictum hooks, MCP servers, skills, and optional project rules in AI coding hosts. No install-time or stealth activation is present.

Static reason
No blocking static signals were detected.
Trigger
User runs `dictum integrate <host>` or `dictum codex setup`.
Impact
A user-approved setup can cause future agent prompts to invoke Dictum's prompt-review workflow.
Mechanism
Explicit AI-agent configuration and hook registration.
Rationale
The package has a real, explicit AI-agent control-surface setup capability but no unconsented install-time activation or concrete malicious behavior. Per policy, this warrants a warning rather than a block.
Evidence
package.jsonbin/dictum.jssrc/cli.tssrc/hosts/codex.tssrc/hosts/shared.tssrc/polisher/openai_compat.tssrc/hosts/claude.tssrc/hosts/cursor.tssrc/hosts/devin.ts
Network endpoints3
api.openai.comapi.anthropic.com127.0.0.1:5500

Decision evidence

public snapshot
AI called this Suspicious at 93.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • Explicit `dictum integrate` mutates Codex, Claude, Cursor, and Devin host configuration.
  • Codex setup installs a managed skill and `UserPromptSubmit` hook invoking `dictum prompt-hook`.
  • Shared installer atomically merges JSON/MCP configuration and writes managed rule files.
  • Hook guidance can direct connected agents to Dictum MCP tools before task execution.
Evidence against
  • `package.json` has no preinstall, install, or postinstall lifecycle hook.
  • `bin/dictum.js` only dispatches the CLI; integration is not import-time behavior.
  • Network calls target configured STT/LLM endpoints, including OpenAI- and Anthropic-compatible APIs.
  • No credential harvesting, arbitrary remote payload loading, eval, or destructive filesystem behavior found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 35 file(s), 170 KB of source, external domains: 127.0.0.1, api.anthropic.com, api.openai.com

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

6 Medium4 Low
MediumNetwork
MediumEnvironment Vars
MediumAi Review Evidence
MediumAi Review Evidence
MediumAi Review Evidence
MediumAi Review Evidence
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings