registry  /  httpdr-setup  /  1.0.1

httpdr-setup@1.0.1

Catalogo e CLI para skills de agentes de IA em PT-BR, com setup cross-harness para Claude Code, Codex e GitHub Copilot.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. A user explicitly runs the CLI to generate or copy agent-harness files into the chosen project or `~/.ai-harness`. No install-time execution, network egress, or remote command path is established.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Explicit `httpdr-setup setup`, `init`, `ecc-sync`, or `plugin install` command.
Impact
Can alter agent instruction/configuration files in the selected target, including project-local `.codex`, `.claude`, and `.github` paths.
Mechanism
User-invoked AI-agent configuration and vendored-resource copier.
Rationale
This is an explicit user-command agent configuration tool rather than concrete malicious behavior. Its broad configuration writes merit a warning under the agent-extension lifecycle policy, but blocking is not supported by the inspected source.
Evidence
package.jsonbin/httpdr-setup.mjsapps/cli/index.mjslib/setup-runner.mjslib/ecc-resource-installer.mjslib/plugin-generator.mjsAGENTS.md.ai-harness/**.codex/AGENTS.md.codex/config.tomlCLAUDE.md.claude/settings.cross-harness.example.json.github/copilot-instructions.md.github/prompts/ai-setup-audit.prompt.md

Decision evidence

public snapshot
AI called this Suspicious at 94.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • Explicit `setup` writes project/global AI-agent configuration.
  • `lib/setup-runner.mjs` can modify `AGENTS.md`, `.codex`, `.claude`, and Copilot instruction paths.
  • CLI `setup` automatically invokes vendored ECC-resource installation.
Evidence against
  • `package.json` contains no `preinstall`, `install`, `postinstall`, or `prepare` hook.
  • `bin/httpdr-setup.mjs` only imports the user-invoked CLI.
  • `spawnSync` is limited to local `git` inspection with `shell: false`.
  • No network client, socket, eval, dynamic loader, or executable payload was found.
  • Setup writes safety-oriented rules and a Claude example config; it does not execute its generated hook.
  • Scanner reverse-shell label is unsupported by `lib/setup-runner.mjs` source.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 39 file(s), 153 KB of source, external domains: github.com

Source & flagged code

4 flagged · loading source
lib/setup-runner.mjsView file
3import path from "node:path"; L4: import { spawnSync } from "node:child_process"; L5: import { discoverSkills, normalizeSkillName } from "./skills.mjs"; ... L56: const repoRoot = path.resolve(args.repoRoot || path.join(path.dirname(new URL(import.meta.url).pathname), "..")); L57: const target = path.resolve(args.target || process.cwd()); L58: const globalTarget = path.resolve(args["global-target"] || path.join(os.homedir(), ".ai-harness")); ... L71: const audit = auditProject(target, inventory); L72: const generatedAt = process.env.HTTPDR_SETUP_NOW || new Date().toISOString(); L73: ... L225: const exists = (relativePath) => fs.existsSync(path.join(root, relativePath)); L226: const pkg = readJson(path.join(root, "package.json")); L227: const scripts = pkg?.scripts || {};
Critical
Reverse Shell

Source matches reverse-shell style process and socket wiring.

lib/setup-runner.mjsView on unpkg · L3
3Trigger-reachable chain: manifest.exports -> packages/core/index.mjs -> lib/setup-runner.mjs L3: import path from "node:path"; L4: import { spawnSync } from "node:child_process"; L5: import { discoverSkills, normalizeSkillName } from "./skills.mjs"; ... L56: const repoRoot = path.resolve(args.repoRoot || path.join(path.dirname(new URL(import.meta.url).pathname), "..")); L57: const target = path.resolve(args.target || process.cwd()); L58: const globalTarget = path.resolve(args["global-target"] || path.join(os.homedir(), ".ai-harness")); ... L71: const audit = auditProject(target, inventory); L72: const generatedAt = process.env.HTTPDR_SETUP_NOW || new Date().toISOString(); L73: ... L225: const exists = (relativePath) => fs.existsSync(path.join(root, relativePath)); L226: const pkg = readJson(path.join(root, "package.json")); L227: const scripts = pkg?.scripts || {};
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

lib/setup-runner.mjsView on unpkg · L3
3import path from "node:path"; L4: import { spawnSync } from "node:child_process"; L5: import { discoverSkills, normalizeSkillName } from "./skills.mjs";
High
Child Process

Package source references child process execution.

lib/setup-runner.mjsView on unpkg · L3
skills/comunicacao/sprint-review-deck/scripts/collect-git-context.shView file
path = skills/comunicacao/sprint-review-deck/scripts/collect-git-context.sh kind = build_helper sizeBytes = 3033 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

skills/comunicacao/sprint-review-deck/scripts/collect-git-context.shView on unpkg

Findings

2 Critical2 High3 Medium4 Low
CriticalReverse Shelllib/setup-runner.mjs
CriticalTrigger Reachable Dangerous Capabilitylib/setup-runner.mjs
HighChild Processlib/setup-runner.mjs
HighShell
MediumEnvironment Vars
MediumShips Build Helperskills/comunicacao/sprint-review-deck/scripts/collect-git-context.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings