AI Security Review
scanned 4h ago · by lpm-firewall-aiLPM blocks this version under the AI-agent control-surface policy. Installing the package silently mutates the consuming project’s `.mcp.json`, adding a package-controlled MCP server. A later AI-agent session can launch that server automatically through the MCP configuration. Other Claude hook writes are exposed through an explicit runtime setup tool, not postinstall.
Decision evidence
public snapshot- `package.json` runs `scripts/postinstall.js` on installation.
- `scripts/postinstall.js:42` selects a consuming workspace/project root by walking upward from `node_modules`.
- `scripts/postinstall.js:81-122` writes or merges the consumer’s `.mcp.json` and registers `gossipcat` to run `dist-mcp/mcp-server.js`.
- `dist-mcp/mcp-server.js:80587-80615` starts the bundled MCP server by default, intended for Claude Code/Cursor.
- The MCP runtime exposes user-invoked setup that writes Claude hook/config files, including `.claude/settings.local.json` (`dist-mcp/mcp-server.js:82700-82747`).
- The lifecycle script has no outbound network, credential harvesting, or payload-download behavior.
- The only install-time command execution is a build recovery path limited to detected git clones with a missing bundle (`scripts/postinstall.js:144-154`).
- Runtime GitHub issue creation is an explicit MCP tool using the local `gh` CLI, not automatic install-time behavior (`dist-mcp/mcp-server.js:85121-85135`).
- The bundled server uses stdio MCP transport; no confirmed automatic network endpoint is involved in startup.
Source & flagged code
9 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgInstall-time source drops package-supplied AI-agent/MCP control files or instructions.
scripts/postinstall.jsView on unpkg · L1Source file is highly similar to a previously finalized malicious package; route for source-aware review.
scripts/postinstall.jsView on unpkgSource fingerprint signature matches a known malicious package signature; route for source-aware review.
scripts/postinstall.jsView on unpkgPackage ships non-JavaScript build or shell helper files.
assets/hooks/discipline/pretool-signals-validate.shView on unpkgPackage ships high-entropy non-source blobs.
dist-dashboard/assets/Geist-Variable-jflMhO5d.woff2View on unpkgPackage contains source files above the static scanner size ceiling.
dist-mcp/mcp-server.jsView on unpkgPackage contains an oversized executable-looking CLI entrypoint.
dist-mcp/mcp-server.jsView on unpkg